Hi,
I've encountered some wierd behaviour of exec logging with
linux 2.4.19+grsec1.9.7 and grsec1.9.7b:
~# gradm -E
grsec: Loaded grsecurity 1.9.7
~# gradm -a
Password:
grsec: successful change to admin mode by (gradm:506) UID(0) EUID(0), parent (zsh:392) UID(0) EUID(0)
~# cd /proc/sys/kernel/grsecurity
/proc/sys/kernel/grsecurity# echo 1 >> exec_logging
/proc/sys/kernel/grsecurity# cat exec_logging
<6>grsec: exec of [03:01:41841] (@u*AX>y@cat exec_logging ) by (zsh:516) UID(0) EUID(0), parent (zsh:392) UID(0) EUID(0)
/proc/sys/kernel/grsecurity# ls
grsec: exec of [03:01:42070] (`Db@l}`@ls ) by (zsh:578) UID(0) EUID(0), parent (zsh:392) UID(0) EUID(0)
This is what i get to syslog:
kernel: grsec: exec of [03:01:42070] (`D^C���\201�\200ls ) by (zsh:578) UID(0) EUID(0), parent (zsh:392) UID(0) EUID(0)
something obviously goes wrong and causes those wierd chars there..
here's maybe even a bigger issue:
/proc/sys/kernel/grsecurity# cat *
grsec: exec of [03:01:41841] (@s*Ap=y@cat acl altered_pings audit_chdir audit_ipc audit_moun) by (zsh:517) UID(0) EUID(0), parent (zsh:392) UID(0) EUID(0)
Unable to handle kernel paging request at virtual address ffffffff
printing eip:
ffffffff
*pde = 00001063
*pte = 00000000
Oops: 0000
CPU: 0
EIP: 0010:[<ffffffff>] Not tainted
EFLAGS: 00010212
eax: fffffff2 ebx: c0f93ef4 ecx: 0001fc80 edx: 0001fc80
esi: c0f93df0 edi: c0f93df0 ebp: 00000000 esp: c0f93f08
ds: 0018 es: 0018 ss: 0018
Process zsh (pid: 517, stackpage=c0f93000)
Stack: ffffffff ffffffff 00000023 00000018 c1151000 00000000 00000000 c0f93f44
c0107693 c1151000 22ced678 5d0a94fc c0f93f4c c0f92000 080c9c78 5d0a00cc
c0108993 5d0a019c 22ced678 5d0a94fc 080c9c78 5d0a019c 5d0a00cc 0000000b
Call Trace: [<c0107693>] [<c0108993>]
Code: Bad EIP value.
zsh: 517 segmentation fault cat *
/proc/sys/kernel/grsecurity#
Everything works fine when exec_logging is disabled.
Looks like a big bug in the exec logging code to me.
Any ideas?
--
Tuomas Silen
tuomas@silen.eu.org