grsecurity forums

Sep 15 09:10:34 quad kernel: grsec: From 213.139.xx: signal 11 sent to /home/max/tss2_rc2/server_linux[server_linux:18831] uid/euid:1003/1003 gid/egid:1003/1003, parent /home/max/tss2_rc2/teamspeak2-server_startscript[teamspeak2-serv:18830] uid/euid:1003/1003 gid/egid:1003/1003
Sep 15 09:10:34 quad kernel: grsec: From 213.139.xx: signal 11 sent to /home/max/tss2_rc2/server_linux[server_linux:18831] uid/euid:1003/1003 gid/egid:1003/1003, parent /home/max/tss2_rc2/teamspeak2-server_startscript[teamspeak2-serv:18830] uid/euid:1003/1003 gid/egid:1003/1003
Sep 15 09:10:34 quad kernel: server_linux[18831] general protection eip:805217f esp:bf894ee0 error:0
Sep 15 09:10:34 quad kernel: grsec: From 213.139.xx: signal 11 sent to /home/max/tss2_rc2/server_linux[server_linux:18831] uid/euid:1003/1003 gid/egid:1003/1003, parent /home/max/tss2_rc2/teamspeak2-server_startscript[teamspeak2-serv:18830] uid/euid:1003/1003 gid/egid:1003/1003
Sep 15 09:10:34 quad kernel: grsec: From 213.139.xx: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /home/max/tss2_rc2/server_linux[server_linux:18831] uid/euid:1003/1003 gid/egid:1003/1003, parent /home/max/tss2_rc2/teamspeak2-server_startscript[teamspeak2-serv:18830] uid/euid:1003/1003 gid/egid:1003/1003

----[ chpax 0.7 : Current flags for /home/max/ts2/server_linux (pemrxs) ]----

* Paging based PAGE_EXEC : disabled
* Trampolines : not emulated
* mprotect() : not restricted
* mmap() base : not randomized
* ET_EXEC base : not randomized
* Segmentation based PAGE_EXEC : disabled

dermax wrote:I recently have some problems with grsec (2.6.24.2, grsecurity-2.1.11-2.6.24.2-200802131959.patch, security option "High"). Since I recompiled the kernel yesterday, a teamspeak server which worked before ceases to work:

As suggested I modified with "chpax" the rights for the application (-pemrxs) - the error output is still identical.

Can someone tell me what I have to do to disable any grsec restrictions on a specific application?

do you mean that the same kernel with same config worked before?

you could verify that if you tried it on a vanilla kernel (you should also use a newer kernel for grsec, .24 is no longer supported).

you could run the TS binary in gdb and when it breaks on the segfault, issue a few commands like: 'bt', 'i r', 'x/8i $pc', 'x/8x $sp', etc.

Code: Select all

(gdb) run
Starting program: /home/max/ts2/server_linux
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1209891136 (LWP 26621)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209891136 (LWP 26621)]
0x0821af37 in ?? ()
(gdb)

(gdb) bt
#0  0x0821af37 in ?? ()
#1  0x0804f884 in @DbgEvalFrame ()
#2  0x0804c72b in @DbgEvalFrame ()
#3  0x0804c870 in @DbgEvalFrame ()
#4  0x08053560 in @DbgEvalFrame ()
#5  0x080535ee in @DbgEvalFrame ()
#6  0xb7e3dea8 in __libc_start_main () from /lib/tls/libc.so.6
#7  0x08053644 in @DbgEvalFrame ()
(gdb)


(gdb) i r
eax            0x821af4c        136425292
ecx            0x82317d8        136517592
edx            0x82317fc        136517628
ebx            0x0      0
esp            0xbfcfd2c0       0xbfcfd2c0
ebp            0xbfcfd2d4       0xbfcfd2d4
esi            0x8105c84        135289988
edi            0x6c     108
eip            0x821af37        0x821af37 <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865935>
eflags         0x210206 [ PF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)

(gdb) x/8i $pc
0x821af37 <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865935>:      addl   $0xffffffdc,0x4(%esp)
0x821af3c <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865940>:      jmp    0x804f994 <@DbgEvalFrame+13996>
0x821af41 <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865945>:      addl   $0xffffffdc,0x4(%esp)
0x821af46 <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865950>:      jmp    0x804f9a8 <@DbgEvalFrame+14016>
0x821af4b <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865955>:      int3
0x821af4c <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865956>:      sub    $0x370821af,%eax
0x821af51 <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865961>:      scas   %es:(%edi),%eax
0x821af52 <Portions Copyright (c) 1983,2002 Borland Software Corporation+1865962>:      and    %ecx,(%eax)


(gdb) x/8x $sp
0xbfcfd2c0:     0x0804f884      0x082317fc      0x0822f7f4      0x082317fc
0xbfcfd2d0:     0x08073996      0xbfcfd2f0      0x0804c72b      0x0000000d


dermax wrote:

do you mean that the same kernel with same config worked before?

Basically yes, the only changed option was CONFIG_HIGHMEM64G to "yes".

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209891136 (LWP 26621)]
0x0821af37 in ?? ()