View previous topic :: View next topic |
Author |
Message |
r_pns n00b
Joined: 02 Jul 2006 Posts: 33
|
Posted: Sun Sep 15, 2013 12:10 am Post subject: hardened-sources-3.11.1, 3.11.3 silently hang |
|
|
I tried hardened-sources-3.10.1-r1 and 3.10.10 with not-yet-hardened userland (default/linux/amd64/13.0/desktop profile). With either kernel, system randomly hanged during booting up or under some load (while building packages).
Unfortunately, there were no useful error messages; neither could I catch any through netconsole. The most relevant events logged before crashes were "resource overstep" denials for various resources. However, as far as I can understand, Grsecurity only logs those events, while the kernel denies requests beyond the limits anyway.
Code: | kernel: grsec: denied resource overstep by requesting 4294967295 for RLIMIT_NOFILE against limit 1024
|
I would appreciate any help to debug and fix this issue.
Code: | # uname -mpi
x86_64 AMD Phenom(tm) II X4 940 Processor AuthenticAMD
|
Grsecurity config:
Code: | CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y
CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set
CONFIG_GRKERNSEC_PROC_GID=0
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_KERN_LOCKOUT is not set
CONFIG_GRKERNSEC_NO_RBAC=y
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_DENYUSB is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX_USERCOPY_SLABS=y
# PaX
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
# CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y
CONFIG_PAX_NO_ACL_FLAGS=y
# CONFIG_PAX_HAVE_ACL_FLAGS is not set
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="or"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
# CONFIG_PAX_MEMORY_SANITIZE is not set
# CONFIG_PAX_MEMORY_STACKLEAK is not set
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set
# CONFIG_PAX_MEMORY_UDEREF is not set
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
|
Last edited by r_pns on Tue Oct 15, 2013 11:45 pm; edited 3 times in total |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Sun Sep 15, 2013 12:43 am Post subject: |
|
|
If you are seeing hangs, try enabling the various kernel debugging features for detecting deadlocks. These may enable the kernel to print some information when a hang occurs. |
|
Back to top |
|
|
r_pns n00b
Joined: 02 Jul 2006 Posts: 33
|
Posted: Mon Sep 16, 2013 7:42 pm Post subject: |
|
|
Thank you for your advice, Hu!
I have enabled the following, which seems appropriate to me:
Code: | CONFIG_DEFAULT_MESSAGE_LOGLEVEL=7
CONFIG_MAGIC_SYSRQ=y
CONFIG_DEBUG_KERNEL=y
CONFIG_LOCKUP_DETECTOR=y
CONFIG_BOOTPARAM_HARDLOCKUP_PANIC=y
CONFIG_BOOTPARAM_SOFTLOCKUP_PANIC=y
CONFIG_PANIC_ON_OOPS=y
CONFIG_DETECT_HUNG_TASK=y
CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
CONFIG_BOOTPARAM_HUNG_TASK_PANIC=y
CONFIG_DEBUG_RT_MUTEXES=y
CONFIG_DEBUG_SPINLOCK=y
CONFIG_DEBUG_MUTEXES=y
CONFIG_FRAME_POINTER=y
CONFIG_EARLY_PRINTK=y
CONFIG_DEBUG_NMI_SELFTEST=y
|
Yet there was no success. The system hanged during compilation without any message. SysRq mechanism did not help either---there was no reaction to keystrokes. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21635
|
Posted: Mon Sep 16, 2013 9:06 pm Post subject: |
|
|
That sounds more like a panic than a hang. Please test with non-hardened sources to determine whether the problem is a fundamental issue with this kernel series or is a problem introduced by the hardening patches. |
|
Back to top |
|
|
r_pns n00b
Joined: 02 Jul 2006 Posts: 33
|
Posted: Mon Sep 16, 2013 9:41 pm Post subject: |
|
|
I can reproduce the issue with both hardened-sources-3.10.1-r1 and 3.10.10, while I have not seen any problem using gentoo-sources-3.10.7 (currently stable) for some time.
It's my fault I did not mention that earlier.
Now I'm going to try hardened-sources-3.11.
Last edited by r_pns on Tue Sep 17, 2013 5:51 am; edited 1 time in total |
|
Back to top |
|
|
666threesixes666 Veteran
Joined: 31 May 2011 Posts: 1248 Location: 42.68n 85.41w
|
Posted: Tue Sep 17, 2013 2:57 am Post subject: |
|
|
ive 1 noted load hang on 3.10.10 loading firefox did it for me. it was strange, just video off, no monitor, system hanging in the background as far as i can tell, i don't have ssh setup or the other computer running right now to determine if it was going in the background still. ugg @ 3.9-11.x |
|
Back to top |
|
|
r_pns n00b
Joined: 02 Jul 2006 Posts: 33
|
Posted: Wed Sep 18, 2013 8:27 pm Post subject: |
|
|
So, I have tested hardened-sources-3.11.1. The issue persisted.
666threesixes666, did you use hardened sources? |
|
Back to top |
|
|
r_pns n00b
Joined: 02 Jul 2006 Posts: 33
|
Posted: Sat Oct 12, 2013 10:24 pm Post subject: |
|
|
The testing was quite limited, but I have not been able to reproduce this with hardened-sources-3.11.3 so far. |
|
Back to top |
|
|
r_pns n00b
Joined: 02 Jul 2006 Posts: 33
|
Posted: Tue Oct 15, 2013 11:44 pm Post subject: |
|
|
Unfortunately, the issue has come back with 3.11.3. During usual desktop activity and apparently under some disk load the system got totally unresponsive. Still, no messages in netconsole nor elsewhere. |
|
Back to top |
|
|
|