grsecurity forums

hello,

I have a Debian 3.1 (sarge) server with tomcat (5.5.x) and (java 1.5.0_04) and some other services.

I applyed the grsecurity patch to my 2.4.31 kernel and run the chpax -emrspx on java and javac executables in $JAVA_HOME/bin and $JAVA_HOME/jre/bin direcories.

The problem of the randomly and continuosly messages:
--------8<------------8<-------------------8<----------
Aug 31 11:29:05 localhost kernel: grsec: From xx.xx.xx.xx: signal 11 sent to /webjail/.../java[java:21790] uid/euid:33/33 gid/egid:33/33, parent /webjail/..//java[java:11314] uid/euid:33/33 gid/egid:33/33
--------8<------------8<-------------------8<----------

Still remain until I disabled the "-server" flag command line of the java executable..
At the end I have deduced that the implementation of the Java Hot-Spot optimizations conflicts with the secutity rules of grsecurity.

So, I will look forward for some other flag to add to chpax that prevents this behavour..

Bye

Hello,

I did some tests with different versions of java and application servers and i found that JAVA 1.5 still continue to produce the "kill" messages even if rarely.

These are the results of my tests:

JDK 1.4.2_08 + (tomcat or jetty):
- without "-server" option on java command line, all the things goes fine (no messages related to grsecurity).
- with "-server" option on java command line, the messages on kern.log appears very frequently on my kern.log.

JDK 1.5.0_04 + (tomcat or jetty):
- without "-server" option on java command line, all the things goes better but the warnings will remain even if rarely in my kern.log (I think that java1.5 enables by default some features of HOT_SPOT that java 1.4 didn't).
- with "-server" option on java command line, the messages appears very frequently on my kern.log.

Hope to be useful for anyone.
bye.

marcolinuz wrote:I did some tests with different versions of java and application servers and i found that JAVA 1.5 still continue to produce the "kill" messages even if rarely.

since you have PaX disabled on java, i can hardly imagine how it would be the cause for these crashes, i think you're more likely running into LinuxThreads bugs (i remember the times when running the "Hello World" java equivalent in a loop would crash every now and then). one thing you can try is an NPTL glibc and kernel 2.6, at least for a test.

i am thinking about using the latest jdk1.5 along with tomcat 5.5. does it still have the issue with grsecurity? I haven't tried yet, I am hoping you can save me some time.

jdk5 update 8 (jdk-1_5_0_08) on centos 4.4

Hello.
I am useing desktop related java app (jedit) and see ocasionally the same "signal 11 sent" message in the logs.

Java works fine after chpax -emrspx on java executebles and I think it has nothing to do with pax, maybe thats how java works i don't know.

Grsecurity couses that message in the logs - in fact it is doing it as you have configured it to do so . Just check the output of sysctl -a and look for:

Code: Select all

kernel.grsecurity.signal_logging = 1

try changing its value to "0". Ofcourse you will not see other, maybe usefull, informations about signals sent.