There seems to be a problem with address randomization on which varius (as in random) commands / apps get signal 11 without any apparent reason. By enabling the following two options:
- Code: Select all
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
i get - on a very rare occations - segv to different utilities.
from log:
- Code: Select all
May 19 11:38:42 localhost kernel: grsec: signal 11 sent to /bin/ls[ls:7809] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/find[find:29551] uid/euid:0/0 gid/egid:0/0
on a normal basis i get 3-5 segv/week by looking at logs. it's not related to any specific app .. i get it from ls, gawk, zcat to gcc/firefox etc. i was able to reproduce it more often doing the following on a direcrory tree with 10's of thousant of files (about 90k) i run:
- Code: Select all
find /usr/src -exec ls -l {} 1> /dev/null \;
i get about 2-3 segv to ls.
at first i thought it was related to bad hardware, mem etc. (becouse segv's where to rare to notice) but i tested it with two different machines (one p4/rimm and one athlon tbird/ddr mem). Also with the original distributions kernels (centos) and vanila kernels (same config as grsec) i get nothing.
at neither of them i used kernel stack randomization.
full conf
- Code: Select all
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=5
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=1005
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_PAX=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y
grsecurity-2.1.5 on 2.6.11.7 and .9