grsecurity forums

[chenull]

Hello again,

my grsec kernel is on learning mode now. when i tried to run webserver with PHP + Zend Optimizer, it gets error saying that shmat() failed: Permission denied.
Here is my strace's last lines:

[code]munmap(0xb70ae000, 4096) = 0
shmget(IPC_PRIVATE, 524288, 0600) = 1015836
shmat(1015836, 0, 0) = -1 EACCES (Permission denied)
write(2, "shmat() failed: Permission deni"..., 35shmat() failed: Permission denied
) = 35
write(2, "Failed to start up concurrent us"..., 44Failed to start up concurrent users module!
) = 44
brk(0x878e000) = 0x878e000
brk(0x87b0000) = 0x87b0000
brk(0x87d1000) = 0x87d1000
brk(0x87f2000) = 0x87f2000
brk(0x8813000) = 0x8813000
munmap(0xb7508000, 266240) = 0
brk(0x8866000) = 0x8866000
setitimer(ITIMER_PROF, {it_interval={0, 0}, it_value={0, 0}}, NULL) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV (core dumped) +++
root@baron [/usr/local/lsws/fcgi-bin]#
[code]

every time i executed strace, then do command ipcs, the shm id is still in memory. it's not destroyed. have searched related posts here in forum and mailing list but still out of clue what is happening.

Thanks in advance

[spender]

A couple questions:

What kernel version is it?
Does it only happen with RBAC enabled or in learning mode?
Do you have CONFIG_GRKERNSEC_CHROOT_FINDTASK enabled?
If it only happens under RBAC/learning mode, are you using full learning?
If you're not using full learning, paste your subject for apache. It likely has the "protect shared memory" flag set on it, and the process that's attempting to connect to the shared memory doesn't have the same subject as apache.
Are there any grsec logs? If it was denied by RBAC, there should be.

-Brad

[chenull]

A couple questions:

What kernel version is it?

2.6.32.10

Does it only happen with RBAC enabled or in learning mode?

-yes

Do you have CONFIG_GRKERNSEC_CHROOT_FINDTASK enabled?

well, i chose default config with medium level. and when i looked at my config, yes it is enabled.
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

If it only happens under RBAC/learning mode, are you using full learning?

yes

Code: Select all

gradm -F -L /etc/grsec/learning.log

If you're not using full learning, paste your subject for apache. It likely has the "protect shared memory" flag set on it, and the process that's attempting to connect to the shared memory doesn't have the same subject as apache.

I am new to grsec. i think it will take some times before i can learn how to use the config file.

Are there any grsec logs? If it was denied by RBAC, there should be.

Code: Select all

Apr  4 18:12:58 baron kernel: [ 2421.331362] grsec: (default:D:/) denied load of writable library /SYSV00000000 by /usr/local/lsws/fcgi-bin/lsphp-5.2.13[lsphp5:7280] uid/euid:506/506 gid/egid:503/503, parent /usr/local/lsws/bin/lshttpd.4.0.13[lshttpd:3744] uid/euid:99/99 gid/egid:99/99
Apr  4 18:12:58 baron kernel: [ 2421.341386] lsphp5[7280]: segfault at 110 ip b737cfbe sp bffff090 error 4 in ZendOptimizer.so[b7343000+14b000]

[spender]

Do you have hugetlb support enabled in the kernel?

-Brad

[chenull]

yes.

CONFIG_HUGETLBFS=y
CONFIG_HUGETLB_PAGE=y

i've tried to disable CONFIG_GRKERNSEC_CHROOT_FINDTASK, but still get the same error. i guess it's just because the PHP binary is not chroot'ed

[chenull]

i've tried to disable hugetlb too, still got same error
stuck

anyway, when using hugetlb disabled kernel, gradm -S shows nothing:

Code: Select all

root@baron [/usr/src/kernels/linux-2.6.32.10]# gradm -S
root@baron [/usr/src/kernels/linux-2.6.32.10]# echo $?
0


[chenull]

According to a post in:
http://www.grafxsoftware.com/faq.php/HO ... erver/1/4/

grsec kernel will work fine with ZendOptimized, but the zend binary must be "execstacl -c" first. My setup is quite the same with the environment in that post (centos + grsec (ASL) + plesk + apache webserver). i've tried clearing the exec stack bit too, but since my problem is not something related to RELRO, it made no difference. The only different setup is that i am not using ASL. Or should i try ASL ?

For mr Brad, or anybody else, do you have an old grsec kernel archive ? at least before november 2009, as that post is dated nov 2009.

Thank you

[spender]

gradm -S should only return without printing anything if grsecurity isn't compiled in, or if the RBAC system has been disabled via config option. I've updated the gradm package so that it'll print out this case as well. Are you certain that the kernel you compiled had support built in for both grsecurity and the RBAC system? Did you get the same

Apr 4 18:12:58 baron kernel: [ 2421.331362] grsec: (default:D:/) denied load of writable library /SYSV00000000 by /usr/local/lsws/fcgi-bin/lsphp-5.2.13[lsphp5:7280] uid/euid:506/506 gid/egid:503/503, parent /usr/local/lsws/bin/lshttpd.4.0.13[lshttpd:3744] uid/euid:99/99 gid/egid:99/99

error as before?

Could you mail me the kernel .config with hugetlb support disabled (spender@grsecurity.net)?

-Brad