2.6.38.3: cannot make segment writable for relocation
Posted: Mon Apr 18, 2011 3:26 pm
I rolled a grsec/pax 2.6.38.3 today. Everything booted just fine, ACL loads just fine. I did have one quirk though. On boxes that have been running 2.6.38.2 up till this morning (and pretty much every previous grsec-able kernel in the recent past), I'm getting the following when trying to start up apache:
(slightly redacted, so ignore any path weirdness)
httpd: Syntax error on line 94 of /etc/apache/conf/httpd.conf: Cannot load /usr/lib/apache2/modules/mod_perl.so into server: /usr/lib/apache2/modules/mod_perl.so: cannot make segment writable for relocation: Permission denied
strace shows:
mprotect(0xa03d6000, 1675264, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)
On 2.6.38.2 and earlier, this loads just fine. I've tinkered with mprotect protections in chpax with no improvement (on both mod_perl.so and the httpd binary itself). I also gave CONFIG_PAX_MPROTECT_COMPAT a try, for the heck of it, with no improvement.
The next thing to try would be to disable CONFIG_PAX_MPROTECT but I figured before doing something that precipitous, I should probably ask here. I'm more than happy to post whatever info would be helpful.
I see there's a lot of PAX-related changes from pax-linux-2.6.38.2-test5.patch to pax-linux-2.6.38.2-test9.patch. Any changes I need to make related to those? Thanks!
(slightly redacted, so ignore any path weirdness)
httpd: Syntax error on line 94 of /etc/apache/conf/httpd.conf: Cannot load /usr/lib/apache2/modules/mod_perl.so into server: /usr/lib/apache2/modules/mod_perl.so: cannot make segment writable for relocation: Permission denied
strace shows:
mprotect(0xa03d6000, 1675264, PROT_READ|PROT_WRITE) = -1 EACCES (Permission denied)
On 2.6.38.2 and earlier, this loads just fine. I've tinkered with mprotect protections in chpax with no improvement (on both mod_perl.so and the httpd binary itself). I also gave CONFIG_PAX_MPROTECT_COMPAT a try, for the heck of it, with no improvement.
The next thing to try would be to disable CONFIG_PAX_MPROTECT but I figured before doing something that precipitous, I should probably ask here. I'm more than happy to post whatever info would be helpful.
I see there's a lot of PAX-related changes from pax-linux-2.6.38.2-test5.patch to pax-linux-2.6.38.2-test9.patch. Any changes I need to make related to those? Thanks!