grsecurity forums

[Wurstteppich]

Morning everyone,

i still have a problem with hardened kernel and a java application i run on a server.
My /var/log/critical/* is filling with error messages like those below

Sep 16 16:12:59 [kernel] grsec: From 84.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:25967] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:13:00 [kernel] grsec: From 200.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:15654] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:18:22 [kernel] grsec: From 82.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:11995] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:20:03 [kernel] grsec: From 151.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:17771] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:22:24 [kernel] grsec: From 128.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:24246] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:23:03 [kernel] grsec: From 200.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:22643] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:23:22 [kernel] grsec: From 151.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:31400] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
Sep 16 16:23:46 [kernel] grsec: From 80.x.x.x: signal 11 sent to /opt/sun-jre-bin-1.5.0.04/bin/java[java:4265] uid/euid:1002/1002 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Installed Java: sun-jre-bin-1.5.0.04
Installed Kernel: hardened-sources-2.6.11-r15
Application: http://www.powerfolder.com
Distro: Gentoo 2005.1 + NTPL (world + system up-to-date)

I used the following guide to change the ELF binaries of java to work with PAX:

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#paxjava

The java application itself is a tool to synchronize files with multiple clients over the lan/wan. The application is running, though i have a feeling that it gets limited by the grsec extensions, since it sometimes has internal problems running the hardened extended servers. I can't say which because i am not a programmer. Its normal that it lists so many different ips cause it connects to a lot of hosts asking for status updates or just checking the availabilty.

So my questions are:

1) What do these critical log messages mean ?
2) How do i get rid of them ? (if i should disable a grsec option, i am ok with it, i just want to get rid of those error messages and possible reasons for the program to not work properly)

As i stated above i followed the guide on using chpax on the java binaries as well added chpax to the default runlevel. Here is my kernel config regarding grsec and pax:

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
# CONFIG_GRKERNSEC_KMEM is not set
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
# CONFIG_GRKERNSEC_BIGMEM is not set
# CONFIG_GRKERNSEC_BRUTE is not set
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
# CONFIG_PAX_PAGEEXEC is not set
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set

I know that there are x threads in this forum about signal 11 and java, but i can't get any useful information out of them. If i should provide more information, debug reports, etc just tell me how and i will post them here.

Best regards

Wurstteppich

[SG]

I had problems with java too. I simple used 'chpax' utility on java and javac.
Flags for chpax is:
-p
-m
-r
-x
-s

You will find chpax on grsec or pax site

[Wurstteppich]

Thanks for the suggestion, but since i already did that (take a look at the link to the hardened gentoo site above) and its still not working, it must be something else.

[SG]

1.
I read it:
Code Listing 3.3: Java Chpax Options
chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*

But old version chpax don`t aply more that one flags. I may be mistaken, but
I remember this problem one year ago. Execute chpax -v java and make sure all flags cleared

2.
Try execute java by root. If all Ok then find restrictions for user uid:1002

3.
Also try change kernel.shmmax in sysctl.conf
for example:
kernel.shmmax = 100000000
and execute sysctl -p

This is 32Mb only by default

I don`t have any problems with java and grsec patchs for 2.4/2.6 kernels

[PaX Team]

Thanks for the suggestion, but since i already did that (take a look at the link to the hardened gentoo site above) and its still not working, it must be something else.

noone knows why java crashes until someone debugs it, and there's only so much we can do after disabling PaX on it...

[dirls028]

oracle+grsec:
the message like this:
Sep 21 23:09:59 kernel: grsec: (default:D:/) signal 11 sent to /home/oracle/product/10.1.0/db_1/jdk/bin/java[java:3204] uid/euid:504/504
gid/egid:504/504, parent /home/oracle/product/10.1.0/db_1/perl/bin/perl[perl:3135] uid/euid:504/504 gid/egid:504/504
Sep 22 00:00:02 kernel: grsec: (default:D:/) signal 11 sent to /home/oracle/product/10.1.0/db_1/jdk/bin/java[java:13638] uid/euid:504/50
4 gid/egid:504/504, parent /home/oracle/product/10.1.0/db_1/perl/bin/perl[perl:3135] uid/euid:504/504 gid/egid:504/504

//------------------------------------------------------
Sep 22 00:26:15 kernel: grsec: From 202.XXX: (default:D:/) denied connect() to the unix domain socket /dev/log by /usr/sbin/pppd[p
ppd:14199] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/pptpctrl[pptpctrl:14198] uid/euid:0/0 gid/egid:0/0
Sep 22 00:26:15 kernel: grsec: From 202.XXX: (default:D:/) denied open of /dev/ppp for reading writing by /usr/sbin/pppd[pppd:1419
9] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/pptpctrl[pptpctrl:14198] uid/euid:0/0 gid/egid:0/0
//-------------------------------------------------------
maybe the pppd was peotected by grsec,and the normal users cann't kill the daemon,so the grsec alter us?how to solve all of this problem?thanks

[Wurstteppich]

2.
Try execute java by root. If all Ok then find restrictions for user uid:1002

That solved the problem. But how can i find restrictions for that user account now, i mean where are the typical places to look for restrictions or enhance the user rights (since i didnt restrict them since useradd..)?

[SG]

It is work for good sysadmin. Read logs, think and try. I suggest use 'strace' also.