grsecurity forums

Skip to content

grsec stops SIGALRM?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.
Topic locked

grsec stops SIGALRM?

Postby sebastianw » Wed Jun 01, 2005 3:59 pm

Hi,

I'm using ulog-acctd to log ip traffic data. This worked fine until I switched to grsec for 2.4.30. Suddenly(after ca. 30 minutes running) the process doesn't get ALRM signals anymore (which it uses to dump data to a file), so the file is no longer written. Could grsec be the cause?
sebastianw
 
Posts: 1
Joined: Wed Jun 01, 2005 3:54 pm
Top

SIGALRM

Postby marcolinuz » Wed Aug 31, 2005 4:16 am

Hello,

Recently I wrote a little daemon thet sets continuosly alarms (SIGALRM) for his works but grsecurity kernel seems to randomly ignore my alarm() calls.

So I try to use setitimer() instead of alarm() in my sources.
I'm still in testing of the changes, but things seems to works better.

Bye.
marcolinuz
 
Posts: 6
Joined: Wed Aug 31, 2005 4:06 am
Top

Re: SIGALRM

Postby PaX Team » Wed Aug 31, 2005 7:52 am

marcolinuz wrote:Recently I wrote a little daemon thet sets continuosly alarms (SIGALRM) for his works but grsecurity kernel seems to randomly ignore my alarm() calls.
give the 2.4 CVS a try, spender fixed a signal handling related bug there a week ago.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Where is CVS?

Postby marcolinuz » Fri Sep 02, 2005 7:05 am

Excuse me..

But, where is the CVS repository? :oops:

Anyway, I couldn't connect directly to it because I'm behind a transparent proxy that I can't control. :(
Can you send me (or post here) the diff of the fix? :roll:

Thanks!
By MCM.
marcolinuz
 
Posts: 6
Joined: Wed Aug 31, 2005 4:06 am
Top

Re: Where is CVS?

Postby PaX Team » Fri Sep 02, 2005 7:24 am

marcolinuz wrote:But, where is the CVS repository? :oops:
right on the front page:http://www.grsecurity.net/cvs.php
Anyway, I couldn't connect directly to it because I'm behind a transparent proxy that I can't control. :(
Can you send me (or post here) the diff of the fix? :roll:
i think it's here:http://cvsweb.grsecurity.net/index.cgi/grsecurity2.old/kernel/signal.c, rev 1.4-1.7.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm
Top

Postby Zubolg » Sat Sep 03, 2005 5:33 pm

I've tried this patch against 2.6.11.12-gr2.1.6 and it's only slightly better, the problem is still there.

My problems are on pop/imap servers using nfs. Processes are using sigalarm to kill idle connections.
With a 2.4 with grsec 1.9, no problem at all.
With a 2.6.11.12 with grsec 2.1.6, the server load increases to critical level in about 4 hours.
With the fix added, the server need about 12 hours to reach the same load.

The symptoms are still the same: Processes stay in D state.
When I attempt a strace on them, they take their time to wake up, and then receive the signal and die (that's what they're supposed to do in the first place).

Hope that'll help.
Zubolg
 
Posts: 3
Joined: Sat Sep 03, 2005 5:26 pm
Top

Postby spender » Tue Sep 06, 2005 8:09 pm

What patch did you try? The patch the user posted was to a 2.4 kernel, which wouldn't work on a 2.6 kernel. Did the patch reject (there would be a kernel/signal.c.rej file if so)?

You can try the 2.6 patch in http://grsecurity.net/~spender/ to be sure.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm
Top

Postby Zubolg » Wed Sep 07, 2005 5:05 am

I used the grsecurity226.old tree diff of course :wink:
Sorry I'm not that dumb :x

I'll try the latest beta patch anyway.
Zubolg
 
Posts: 3
Joined: Sat Sep 03, 2005 5:26 pm
Top

Postby Zubolg » Thu Sep 08, 2005 9:41 am

Looks ok for now, up for 4 hours and no processes in D state...
But I also lowered HZ and disabled kernel preempt completely.
Maybe there's a bad mix beetween signals, grsec, nfs and preempt?
Zubolg
 
Posts: 3
Joined: Sat Sep 03, 2005 5:26 pm
Top
Topic locked

Return to grsecurity support

Powered by phpBB® Forum Software © phpBB Group