grsecurity forums

I've just upgraded to 4.4.2-hardened from 4.3.5-hardened-r2.
Upon reboot I see messages like these in log:

Code: Select all

grsec: failed fork with errno EAGAIN by /usr/sbin/laptop_mode
grsec: failed fork with errno EAGAIN by /lib64/udev/usb_modeswitch
grsec: failed fork with errno EAGAIN by /usr/lib64/systemd/systemd-udevd


Taking a look at on fork's man page I see this:

Code: Select all

EAGAIN
fork() cannot allocate sufficient memory to copy the parent's page tables and allocate a task structure for the child.
EAGAIN
It was not possible to create a new process because the caller's RLIMIT_NPROC resource limit was encountered. To exceed this limit, the process must have either the CAP_SYS_ADMIN or the CAP_SYS_RESOURCE capability.
ENOMEM
fork() failed to allocate the necessary kernel structures because memory is tight.


Since I haven't see ENOMEM, and haven't changed any rlimit, and these processes already had CAP_SYS_ADMIN, I tried to allocate CAP_SYS_RESOURCE as well. After another reboot I can still see some /usr/sbin/laptop_mode lines.

Something must have changed in between 4.3.5-hardened-r2 and the new 4.4.2-hardened.

There was only a single new option I've enabled: CONFIG_GRKERNSEC_HARDEN_TTY=y. Could this new feature be responsible for these fork failures or some other factor must be blamed?

Please let me know if you have any idea on this one!

Thx: Dw.

Can't be due to the new feature -- anything it would reject is logged.

-Brad