Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
grsec warnings and segfaults during emerging world
balint at szentedwg
Apr 23, 2013, 12:03 AM
Post #1 of 7 (2822 views)
Permalink
Hello!


After several years of "regular" Gentoo I decided to move to Hardened
Gentoo using grsecurity & PaX.

I tried initially the XT marking, but I switched back to PT marking
because of bug #465000.

Everything seems fine and seems to work, but I noticed some weird logs
in the kernel log when I did yesterday an "emerge -e @world".

I observed that for several packages in the configure step grsec is
reporting resource overstep denials. But what really concerns me the 2
segfaults: readline and gcc. Please see attached kern.log file. What
confuses me is that both packages build fine beside these errors.

Is this "normal" for grsec hardened kernels? Should I just ignore those
grsec messages and segfaults? I would really appreciate some hints about
these.

I attached also my kernel options related to security.

Regards,
Balint Szente

Attached Files:

Re: grsec warnings and segfaults during emerging world [ In reply to ]
atoth at atoth
Apr 23, 2013, 10:51 AM
Post #2 of 7 (2763 views)
Permalink
What marking does grub-probe looses during install?
What marking python needs?

I have to admit: I keep the good old chpax init.d and conf.d file, but
modified it to make it up-to-date...
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.Április 23.(K) 09:03 időpontban SZENTE Balint ezt írta:
> Hello!
>
>
> After several years of "regular" Gentoo I decided to move to Hardened
> Gentoo using grsecurity & PaX.
>
> I tried initially the XT marking, but I switched back to PT marking
> because of bug #465000.
>
> Everything seems fine and seems to work, but I noticed some weird logs
> in the kernel log when I did yesterday an "emerge -e @world".
>
> I observed that for several packages in the configure step grsec is
> reporting resource overstep denials. But what really concerns me the 2
> segfaults: readline and gcc. Please see attached kern.log file. What
> confuses me is that both packages build fine beside these errors.
>
> Is this "normal" for grsec hardened kernels? Should I just ignore those
> grsec messages and segfaults? I would really appreciate some hints about
> these.
>
> I attached also my kernel options related to security.
>
> Regards,
> Balint Szente
>
Re: grsec warnings and segfaults during emerging world [ In reply to ]
balint at szentedwg
Apr 23, 2013, 11:54 AM
Post #3 of 7 (2765 views)
Permalink
On Tue, April 23, 2013 20:51, "Tóth Attila" wrote:
> What marking does grub-probe looses during install?

From the grub-2.00-r2.ebuild:
pax-mark -mpes "${grub_binaries[@]}"

> What marking python needs?

pax-mark m python

But these has nothing to do with the segfault. It happens for me with XT and
PT markings as well.

Can somebody confirm that on grsec with pax kernel simply
# emerge -1 gcc
will generate the segfault, like in my grsec log, however the build will not
fail?

I am on x86_64, with everything latest stable.
Re: grsec warnings and segfaults during emerging world [ In reply to ]
aranea at aixah
Apr 23, 2013, 12:44 PM
Post #4 of 7 (2751 views)
Permalink
Haven't looked into this specific message, but I guess you shouldn't
worry about it too much. The denials (ulimits) would also occur on
gentoo-sources (or every other kernel, for that matter), they just
wouldn't be recorded. And most probably it's the same with the
segfault. It happens always, you just don't get a message about it on
non-hardened kernels. You might want to check out if the segfaults
happen during the the run of an autoconf script or something similar
which just checks for some exotic system configuration. I've also
encountered more than one mysterious segfault...


--
Luis
aranea@aixah.de

Attached Files:

Re: grsec warnings and segfaults during emerging world [ In reply to ]
persistence2success at gmail
Apr 23, 2013, 12:51 PM
Post #5 of 7 (2761 views)
Permalink
Ive seen this also. Everything seems to work fine. I believe I seen it on
386 with XT also.

B G
On Apr 23, 2013 2:45 PM, "Luis Ressel" <aranea@aixah.de> wrote:

> Haven't looked into this specific message, but I guess you shouldn't
> worry about it too much. The denials (ulimits) would also occur on
> gentoo-sources (or every other kernel, for that matter), they just
> wouldn't be recorded. And most probably it's the same with the
> segfault. It happens always, you just don't get a message about it on
> non-hardened kernels. You might want to check out if the segfaults
> happen during the the run of an autoconf script or something similar
> which just checks for some exotic system configuration. I've also
> encountered more than one mysterious segfault...
>
>
> --
> Luis
> aranea@aixah.de
>
Re: grsec warnings and segfaults during emerging world [ In reply to ]
balint at szentedwg
Apr 23, 2013, 1:13 PM
Post #6 of 7 (2753 views)
Permalink
Thank you very much for your replies.

Both segfaults (readline and gcc) happened during the run of some autoconf
scripts. For readline it happened in src_configure step. However, in case of
gcc it happened by the end of src_compile step when running some autoconf
script right after the gcc stage 2 and 3 were compared.

Ok, then I will not worry about these messages.

Regards,
Balint

On Tue, April 23, 2013 22:51, Mr G wrote:
> Ive seen this also. Everything seems to work fine. I believe I seen it on
> 386 with XT also.
>
> B G
> On Apr 23, 2013 2:45 PM, "Luis Ressel" <aranea@aixah.de> wrote:
>
>> Haven't looked into this specific message, but I guess you shouldn't
>> worry about it too much. The denials (ulimits) would also occur on
>> gentoo-sources (or every other kernel, for that matter), they just
>> wouldn't be recorded. And most probably it's the same with the
>> segfault. It happens always, you just don't get a message about it on
>> non-hardened kernels. You might want to check out if the segfaults
>> happen during the the run of an autoconf script or something similar
>> which just checks for some exotic system configuration. I've also
>> encountered more than one mysterious segfault...
Re: grsec warnings and segfaults during emerging world [ In reply to ]
aranea at aixah
Apr 23, 2013, 1:33 PM
Post #7 of 7 (2769 views)
Permalink
By the way: If you value your mental health and are not one of those
insanes^Wgeniuses, I'd recommend you to stay away from the toolchain
build process. Far away.

;)


--
Luis
aranea@aixah.de

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal