grsecurity forums

[alexey.lapitsky]

I am trying to run java application on grsec.

dmesg:
grsec: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:4124] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:4124] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:4124] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:4124] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

OS: gentoo linux x86 2.6.25-hardened-r11

kernel config : http://rghost.ru/68943

sysctl -a : http://rghost.ru/68944

paxctl -v /opt/*-jdk-*/{jre,}/bin/* : http://rghost.ru/68946

chpax -v /opt/*-jdk-*/{jre,}/bin/* : http://rghost.ru/68947

What should I do?

[PaX Team]

IOS: gentoo linux x86 2.6.25-hardened-r11

kernel config : http://rghost.ru/68943

sysctl -a : http://rghost.ru/68944

paxctl -v /opt/*-jdk-*/{jre,}/bin/* : http://rghost.ru/68946

chpax -v /opt/*-jdk-*/{jre,}/bin/* : http://rghost.ru/68947

What should I do?

since you're not enabling PaX in .config, the chpax/paxctl flags are irrelevant. if these jvm segfaults are easy to reproduce, can you test a newer kernel than .25 please? for cross-checking, first a vanilla/unpatched tree then one patched with PaX only (but same config, i.e., nothing enabled of PaX).

[SlashBeast]

I use grsec, without pax, on 2.6.27-hardened-r3 and I also have errors like this:

Code: Select all

[192989.135160] grsec: From xx.xx.xx.xx: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:5682] uid/euid:103/103 gid/egid:31340/31340, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[193137.776446] grsec: From xx.xx.xx.xx: denied resource overstep by requesting 69632 for RLIMIT_MEMLOCK against limit 32768 for /usr/bin/mocp[mocp:15479] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[193350.690289] grsec: From xx.xx.xx.xx: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:5682] uid/euid:103/103 gid/egid:31340/31340, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[193772.270103] grsec: From xx.xx.xx.xx: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:5682] uid/euid:103/103 gid/egid:31340/31340, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[194254.075524] grsec: From xx.xx.xx.xx: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:5682] uid/euid:103/103 gid/egid:31340/31340, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
[194494.979825] grsec: From xx.xx.xx.xx: signal 11 sent to /opt/sun-jdk-1.6.0.11/bin/java[java:5682] uid/euid:103/103 gid/egid:31340/31340, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0


[alexey.lapitsky]

Works fine on latest vanilla. I have not tested on latest grsec kernel yet.

[fixinko]

Works fine on latest vanilla. I have not tested on latest grsec kernel yet.

I think that vanilla kernel doesn't include logging signal and other stuff providing by grsec..., so you can't see if java is segfaulting or not. I've similliar problem on Gentoo's 2.6.25-hardened-r10 kernel. All binary files in /opt/sun-jdk-1.6.0.11/bin have -pemrxs flags. It seems that java based application is running ok, but still logging into syslog...

grsec/pax related kernel params

Code: Select all

CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
CONFIG_GRKERNSEC_AUDIT_IPC=y
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_TPE=y
CONFIG_GRKERNSEC_TPE_ALL=y
CONFIG_GRKERNSEC_TPE_GID=2003
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_SOCKET=y
CONFIG_GRKERNSEC_SOCKET_ALL=y
CONFIG_GRKERNSEC_SOCKET_ALL_GID=2000
CONFIG_GRKERNSEC_SOCKET_CLIENT=y
CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=2001
CONFIG_GRKERNSEC_SOCKET_SERVER=y
CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2002
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
CONFIG_PAX=y
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_HAVE_ACL_FLAGS=y
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y


[alexey.lapitsky]

I think that vanilla kernel doesn't include logging signal

its include sigsegv logging