2.6.11.9-grsec and snort
Posted: Tue May 31, 2005 10:20 am
Hi all, i've upgraded one of my snort-boxes with 2.6.11.9-grsec
However, here is the log result when i try to launch snort
May 31 16:41:47 s3 kernel: BUG: using smp_processor_id() in preemptible [00000001] code: snort/1894
May 31 16:41:47 s3 kernel: caller is gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0242fd7>] smp_processor_id+0x97/0xa8
May 31 16:41:47 s3 kernel: [<c0237eb6>] gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0237eb6>] gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0393740>] _spin_lock+0xe/0x70
May 31 16:41:47 s3 kernel: [<c0393a60>] _spin_unlock+0xd/0x21
May 31 16:41:47 s3 kernel: [<c017cb87>] do_no_page+0x182/0x325
May 31 16:41:47 s3 kernel: [<c0147f2f>] do_page_fault+0x0/0x62e
May 31 16:41:47 s3 kernel: [<c01370eb>] error_code+0x2b/0x30
May 31 16:41:47 s3 kernel: [<c0155245>] parse_table+0x14f/0x199
May 31 16:41:47 s3 kernel: [<c0154fdc>] do_sysctl+0x9c/0xdd
May 31 16:41:47 s3 kernel: [<c015507f>] sys_sysctl+0x62/0x72
May 31 16:41:47 s3 kernel: [<c0147f2f>] do_page_fault+0x0/0x62e
May 31 16:41:47 s3 snort: Error: Could not allocate shared memory: Permission denied
May 31 16:41:47 s3 kernel: [<c0136037>] syscall_call+0x7/0xb
May 31 16:41:47 s3 snort: FATAL ERROR: OpenPcap() device eth0 open: malloc: Invalid argument
May 31 16:41:47 s3 kernel: grsec: From 172.19.54.21: (default:D:/usr/local/bin/snort) denied executable mmap of socket:[18287] by /usr/local/bin/snort[snort:1894] uid/euid:0/0 gid/egid:0/0, parent /sbin/initlog[initlog:1359] uid/euid:0/0 gid/egid:0/0
I'm wondering if it's a grsec bug or only misconfigured policy
I can obtain the "kernel: BUG: using smp_processor_id()" and following lines with a simple snort -V
The snort error about shared memory happens when i launch the process
Here is my snort extract from policy file (learning didn't help)
subject /usr/local/bin/snort OM{
user_transition_allow root
group_transition_allow root
/var/log/snort rcw
/var/run dw
/dev/log rcwx
/dev/null rw
/dev/urandom r
/etc/snort rwx
/lib rx
/usr/lib rx
/proc/net/dev r
/proc/sys/kernel/ngroups_max r
/proc/sys/kernel/version r
/usr/local/bin/snort x
connect A.B.C.D/32:5432 stream tcp
bind 0.0.0.0/32:0 dgram ip
+CAP_NET_RAW
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
}
I'm desperate, it seems to me i've tried everything in this policy to make it works......
However, here is the log result when i try to launch snort
May 31 16:41:47 s3 kernel: BUG: using smp_processor_id() in preemptible [00000001] code: snort/1894
May 31 16:41:47 s3 kernel: caller is gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0242fd7>] smp_processor_id+0x97/0xa8
May 31 16:41:47 s3 kernel: [<c0237eb6>] gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0237eb6>] gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0393740>] _spin_lock+0xe/0x70
May 31 16:41:47 s3 kernel: [<c0393a60>] _spin_unlock+0xd/0x21
May 31 16:41:47 s3 kernel: [<c017cb87>] do_no_page+0x182/0x325
May 31 16:41:47 s3 kernel: [<c0147f2f>] do_page_fault+0x0/0x62e
May 31 16:41:47 s3 kernel: [<c01370eb>] error_code+0x2b/0x30
May 31 16:41:47 s3 kernel: [<c0155245>] parse_table+0x14f/0x199
May 31 16:41:47 s3 kernel: [<c0154fdc>] do_sysctl+0x9c/0xdd
May 31 16:41:47 s3 kernel: [<c015507f>] sys_sysctl+0x62/0x72
May 31 16:41:47 s3 kernel: [<c0147f2f>] do_page_fault+0x0/0x62e
May 31 16:41:47 s3 snort: Error: Could not allocate shared memory: Permission denied
May 31 16:41:47 s3 kernel: [<c0136037>] syscall_call+0x7/0xb
May 31 16:41:47 s3 snort: FATAL ERROR: OpenPcap() device eth0 open: malloc: Invalid argument
May 31 16:41:47 s3 kernel: grsec: From 172.19.54.21: (default:D:/usr/local/bin/snort) denied executable mmap of socket:[18287] by /usr/local/bin/snort[snort:1894] uid/euid:0/0 gid/egid:0/0, parent /sbin/initlog[initlog:1359] uid/euid:0/0 gid/egid:0/0
I'm wondering if it's a grsec bug or only misconfigured policy
I can obtain the "kernel: BUG: using smp_processor_id()" and following lines with a simple snort -V
The snort error about shared memory happens when i launch the process
Here is my snort extract from policy file (learning didn't help)
subject /usr/local/bin/snort OM{
user_transition_allow root
group_transition_allow root
/var/log/snort rcw
/var/run dw
/dev/log rcwx
/dev/null rw
/dev/urandom r
/etc/snort rwx
/lib rx
/usr/lib rx
/proc/net/dev r
/proc/sys/kernel/ngroups_max r
/proc/sys/kernel/version r
/usr/local/bin/snort x
connect A.B.C.D/32:5432 stream tcp
bind 0.0.0.0/32:0 dgram ip
+CAP_NET_RAW
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
}
I'm desperate, it seems to me i've tried everything in this policy to make it works......