VBoxRT.so has TEXTREL markings and therefore cannot be loaded on GRSec enabled kernel

[Anna]

We are running a hardened Gentoo with GRSecurity enabled. We have found out that since VBOX 4.3.16 there is a problem with /usr/lib64/virtualbox/VBoxRT.so which seems to have TEXTREL markings and therefore access to it is blocked by GRSec. We have previously run 4.3.12 and on that version, this problem has not been present. We have upgraded to 4.3.20 by now but the problem still persists. Has anyone ever experienced this before?

Our system: Linux Gentoo hardened profile, GRSec enabled kernel version 3.14.23.

I have checked the file with scanelf to see information on TEXTRELs:

# scanelf -t -T /usr/lib64/virtualbox/VBoxRT.so

TYPE TEXTREL TEXTRELS FILE

scanelf: scanelf_file_textrels(): ELF /usr/lib64/virtualbox/VBoxRT.so has TEXTREL markings but doesnt appear to have any real TEXTREL's !? ET_DYN TEXTREL /usr/lib64/virtualbox/VBoxRT.so

When I check all VBOX libs, I can see for sure that only VBoxRT.so is broken:

# scanelf -t -T /usr/lib64/virtualbox/VBox*

TYPE TEXTREL TEXTRELS FILE

ET_DYN - /usr/lib64/virtualbox/VBoxAuth.so ET_DYN - /usr/lib64/virtualbox/VBoxAuthSimple.so ET_DYN - /usr/lib64/virtualbox/VBoxDD.so ET_DYN - /usr/lib64/virtualbox/VBoxDD2.so ET_REL - /usr/lib64/virtualbox/VBoxDD2GC.gc ET_REL - /usr/lib64/virtualbox/VBoxDD2R0.r0 ET_REL - /usr/lib64/virtualbox/VBoxDDGC.gc ET_REL - /usr/lib64/virtualbox/VBoxDDR0.r0 ET_DYN - /usr/lib64/virtualbox/VBoxDDU.so ET_DYN - /usr/lib64/virtualbox/VBoxDbg.so ET_DYN - /usr/lib64/virtualbox/VBoxDragAndDropSvc.so ET_DYN - /usr/lib64/virtualbox/VBoxExtPackHelperApp ET_DYN - /usr/lib64/virtualbox/VBoxGuestControlSvc.so ET_DYN - /usr/lib64/virtualbox/VBoxGuestPropSvc.so ET_DYN - /usr/lib64/virtualbox/VBoxHeadless ET_DYN - /usr/lib64/virtualbox/VBoxHeadless.so ET_DYN - /usr/lib64/virtualbox/VBoxHostChannel.so ET_DYN - /usr/lib64/virtualbox/VBoxKeyboard.so ET_DYN - /usr/lib64/virtualbox/VBoxManage ET_DYN - /usr/lib64/virtualbox/VBoxNetAdpCtl ET_DYN - /usr/lib64/virtualbox/VBoxNetDHCP ET_DYN - /usr/lib64/virtualbox/VBoxNetDHCP.so ET_DYN - /usr/lib64/virtualbox/VBoxNetNAT ET_DYN - /usr/lib64/virtualbox/VBoxNetNAT.so ET_DYN - /usr/lib64/virtualbox/VBoxOGLhostcrutil.so ET_DYN - /usr/lib64/virtualbox/VBoxOGLhosterrorspu.so ET_DYN - /usr/lib64/virtualbox/VBoxOGLrenderspu.so ET_DYN - /usr/lib64/virtualbox/VBoxPython.so ET_DYN - /usr/lib64/virtualbox/VBoxPython2_7.so ET_DYN - /usr/lib64/virtualbox/VBoxREM.so scanelf: scanelf_file_textrels(): ELF /usr/lib64/virtualbox/VBoxRT.so has TEXTREL markings but doesnt appear to have any real TEXTREL's !? ET_DYN TEXTREL /usr/lib64/virtualbox/VBoxRT.so ET_DYN - /usr/lib64/virtualbox/VBoxSDL ET_DYN - /usr/lib64/virtualbox/VBoxSDL.so ET_DYN - /usr/lib64/virtualbox/VBoxSVC ET_DYN - /usr/lib64/virtualbox/VBoxSharedClipboard.so ET_DYN - /usr/lib64/virtualbox/VBoxSharedCrOpenGL.so ET_DYN - /usr/lib64/virtualbox/VBoxSharedFolders.so ET_DYN - /usr/lib64/virtualbox/VBoxTestOGL ET_DYN - /usr/lib64/virtualbox/VBoxTunctl ET_DYN - /usr/lib64/virtualbox/VBoxTuraya ET_DYN - /usr/lib64/virtualbox/VBoxTuraya.so ET_DYN - /usr/lib64/virtualbox/VBoxVMM.so ET_DYN - /usr/lib64/virtualbox/VBoxVMMPreload.so ET_DYN - /usr/lib64/virtualbox/VBoxXPCOM.so ET_DYN - /usr/lib64/virtualbox/VBoxXPCOMC.so ET_DYN - /usr/lib64/virtualbox/VBoxXPCOMIPCD

Due to this problem, I have to reconfigure my GRSec kernel to allow ELF relocations:

-# CONFIG_PAX_ELFRELOCS is not set +CONFIG_PAX_ELFRELOCS=y

If I set this kernel configuration option, I can successfully run VBOX. But it is only a workaround, and should really be fixed in VBOX.

[Frank Mehnert]

As already asked on the vbox-dev mailing list I would like to know which package you are using (exact package name and where you got it from please).

[Frank Mehnert]

I saw your answer on vbox-dev. Short summary: The Gentoo patches add the -nopie option to the gcc parameters. This will prevent generating of position-independent code. This must be the reason for the TEXTRELs. And I verified that our official packages don't contain TEXTRELs.