grsecurity forums

[adriano]

I'm working on deploying grsecurity on a few systems right now but ran into a problem with MySQL. Let me list my software and versions and other relevant information.

Kernel version - 2.4.22 (2.4.23 and above seems to have problems with RHEL3 on Dell Poweredge 2650 servers, depmod -A locks system)
MySQL version - 4.1.3 (I'm aware that it's alpha but according to the politics here where I work, I 'must' use it) I have the same problem with 4.0.20 besides.
Grsecurity version - 2.0-rc3

Okay, now I'll explain the problem. MySQL will run fine when it's compiled without SSL, which means I also didn't have to enable dynamic libraries, which I'm guessing is the problem here. After compiling with SSL (need it for replication) it segfaults every time. I'll include the libraries it was built with.

librt.so.1 => /lib/tls/librt.so.1 (0x40022000)
libdl.so.2 => /lib/libdl.so.2 (0x40036000)
libssl.so.4 => /lib/libssl.so.4 (0x40039000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0x4006e000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0x4015f000)
libz.so.1 => /usr/lib/libz.so.1 (0x4016f000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0x4017e000)
libnsl.so.1 => /lib/libnsl.so.1 (0x401ab000)
libm.so.6 => /lib/tls/libm.so.6 (0x401c0000)
libc.so.6 => /lib/tls/libc.so.6 (0x401e2000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)
libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x40319000)
libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x4032c000)
libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x4038b000)
libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x4038d000)
libresolv.so.2 => /lib/libresolv.so.2 (0x4039d000)

To attempt disabling all PaX options, I did a chpax -pemrxs /usr/sbin/mysqld, but I still have the same problem. When doing an strace, this is what I get...

mmap2(NULL, 8392704, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x42488000
mprotect(0x42488000, 4096, PROT_NONE) = 0
clone(child_stack=0x42c88b08, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|CLONE_DETACHED, parent_tidptr=0x42c88bf8, {entry_number:0, base_addr:0x42c88bb0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}, child_tidptr=0x42c88bf8) = 2435
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

Lastly, I'll include the relevant parts of the kernel .config. I'm new to using grsecurity, so I'm sorry if I've overlooked something obvious.

# Grsecurity
#
CONFIG_GRKERNSEC=y
CONFIG_CRYPTO=y
CONFIG_CRYPTO_SHA256=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_PAX_NOEXEC=y
CONFIG_GRKERNSEC_PAX_PAGEEXEC=y
CONFIG_GRKERNSEC_PAX_SEGMEXEC=y
# CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set
# CONFIG_GRKERNSEC_PAX_MPROTECT is not set
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
CONFIG_GRKERNSEC_PAX_RANDEXEC=y
# CONFIG_GRKERNSEC_KMEM is not set
CONFIG_GRKERNSEC_IO=y
CONFIG_RTC=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set
# CONFIG_GRKERNSEC_HIDESYM is not set

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
# CONFIG_GRKERNSEC_CHROOT_CHDIR is not set
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
# CONFIG_GRKERNSEC_CHROOT_UNIX is not set
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y

#
# Logging options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4


EDIT: It runs fine on a vanilla kernel by the way.

[PaX Team]

# CONFIG_GRKERNSEC_PAX_MPROTECT is not set

what happens if you enable it (running without MPROTECT used to be buggy as it was not the expected use of PaX and hence less tested back then)? also, i'd note that you're using an old version of PaX/grsecurity which saw bugfixes since (e.g., PaX didn't handle properly file mappings over 4GB which might bite you especially with databases), if at all possible, try to update to current cvs or the next release for 2.4.27.

[adriano]

# CONFIG_GRKERNSEC_PAX_MPROTECT is not set

what happens if you enable it (running without MPROTECT used to be buggy as it was not the expected use of PaX and hence less tested back then)? also, i'd note that you're using an old version of PaX/grsecurity which saw bugfixes since (e.g., PaX didn't handle properly file mappings over 4GB which might bite you especially with databases), if at all possible, try to update to current cvs or the next release for 2.4.27.

Thanks for the suggestion, it didn't fix the problem though. I'll try updating to a newer version and see if that does the trick.

[adriano]

# CONFIG_GRKERNSEC_PAX_MPROTECT is not set

what happens if you enable it (running without MPROTECT used to be buggy as it was not the expected use of PaX and hence less tested back then)? also, i'd note that you're using an old version of PaX/grsecurity which saw bugfixes since (e.g., PaX didn't handle properly file mappings over 4GB which might bite you especially with databases), if at all possible, try to update to current cvs or the next release for 2.4.27.

Sorry to be a nuisance, but is there any documentation on patching an older kernel with newer grsecurity source?

[PaX Team]

Thanks for the suggestion, it didn't fix the problem though. I'll try updating to a newer version and see if that does the trick.

what happens if you disable NPTL (which i think your system is using given the presence of /lib/tls/ in that strace)? http://people.redhat.com/~drepper/assumekernel.html

[adriano]

Thanks for the suggestion, it didn't fix the problem though. I'll try updating to a newer version and see if that does the trick.

what happens if you disable NPTL (which i think your system is using given the presence of /lib/tls/ in that strace)? http://people.redhat.com/~drepper/assumekernel.html

Thanks a lot, that did it. Using LinuxThreads now works fine.