[vbox-dev] VBoxRT.so broken TEXTRELs since 4.3.16

Anna Fischer a.fischer at sirrix.com
Fri Feb 13 09:31:23 GMT 2015 

Good morning,

We are running a hardened Gentoo with GRSecurity enabled. We have found out that since VBOX 4.3.16 there is a problem with /usr/lib64/virtualbox/VBoxRT.so which seems to have TEXTREL markings and therefore access to it is blocked by GRSec. We have previously run 4.3.12 and on that version, this problem has not been present. We have upgraded to 4.3.20 by now but the problem still persists. Has anyone ever experienced this before? 

I have checked the file with scanelf to see information on TEXTRELs:

# scanelf -t -T /usr/lib64/virtualbox/VBoxRT.so 
 TYPE   TEXTREL TEXTRELS FILE 
scanelf: scanelf_file_textrels(): ELF /usr/lib64/virtualbox/VBoxRT.so has TEXTREL markings but doesnt appear to have any real TEXTREL's !?
ET_DYN TEXTREL  /usr/lib64/virtualbox/VBoxRT.so

When I check all VBOX libs, I can see for sure that only VBoxRT.so is broken:

# scanelf -t -T /usr/lib64/virtualbox/VBox*     
 TYPE   TEXTREL TEXTRELS FILE 
ET_DYN    -     /usr/lib64/virtualbox/VBoxAuth.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxAuthSimple.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxDD.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxDD2.so 
ET_REL    -     /usr/lib64/virtualbox/VBoxDD2GC.gc 
ET_REL    -     /usr/lib64/virtualbox/VBoxDD2R0.r0 
ET_REL    -     /usr/lib64/virtualbox/VBoxDDGC.gc 
ET_REL    -     /usr/lib64/virtualbox/VBoxDDR0.r0 
ET_DYN    -     /usr/lib64/virtualbox/VBoxDDU.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxDbg.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxDragAndDropSvc.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxExtPackHelperApp 
ET_DYN    -     /usr/lib64/virtualbox/VBoxGuestControlSvc.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxGuestPropSvc.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxHeadless 
ET_DYN    -     /usr/lib64/virtualbox/VBoxHeadless.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxHostChannel.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxKeyboard.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxManage 
ET_DYN    -     /usr/lib64/virtualbox/VBoxNetAdpCtl 
ET_DYN    -     /usr/lib64/virtualbox/VBoxNetDHCP 
ET_DYN    -     /usr/lib64/virtualbox/VBoxNetDHCP.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxNetNAT 
ET_DYN    -     /usr/lib64/virtualbox/VBoxNetNAT.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxOGLhostcrutil.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxOGLhosterrorspu.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxOGLrenderspu.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxPython.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxPython2_7.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxREM.so 
scanelf: scanelf_file_textrels(): ELF /usr/lib64/virtualbox/VBoxRT.so has TEXTREL markings but doesnt appear to have any real TEXTREL's !?
ET_DYN TEXTREL  /usr/lib64/virtualbox/VBoxRT.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxSDL 
ET_DYN    -     /usr/lib64/virtualbox/VBoxSDL.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxSVC 
ET_DYN    -     /usr/lib64/virtualbox/VBoxSharedClipboard.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxSharedCrOpenGL.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxSharedFolders.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxTestOGL 
ET_DYN    -     /usr/lib64/virtualbox/VBoxTunctl 
ET_DYN    -     /usr/lib64/virtualbox/VBoxTuraya 
ET_DYN    -     /usr/lib64/virtualbox/VBoxTuraya.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxVMM.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxVMMPreload.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxXPCOM.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxXPCOMC.so 
ET_DYN    -     /usr/lib64/virtualbox/VBoxXPCOMIPCD

Due to this problem, I have to reconfigure my GRSec kernel to allow ELF relocations:

-# CONFIG_PAX_ELFRELOCS is not set
+CONFIG_PAX_ELFRELOCS=y

If I set this kernel configuration option, I can successfully run VBOX. But it is only a workaround, and should really be fixed in VBOX.

More information about the vbox-dev mailing list