signal 9 & chroot_restrict_sigs

Discuss and suggest new grsecurity features

signal 9 & chroot_restrict_sigs

Postby gst » Mon Sep 09, 2002 1:13 pm

hello,

i experienced a strange problem using the chroot_restrict_sigs option. (i think it's a bug in grsecurity [that's the reason why i am posting this to the development board :) ]).

i use an older version of grsecurity running on a 2.4.18 kernel, so maybe this is already fixed (i can't upgrade because i have to wait for the trustees patch to be updated to 2.4.19 first).

so.. the problem:

i am running a daemon in a chroot, which quite often does "hang", and uses more and more memory until it gets killed by the kernel with signal 9.

Out of Memory: Killed process 154 (jabberd).

the problem is, that when i enable grsecurity the kernel doesn't kill this process, but instead does kill other processes.

dmesg show the following output:

grsec: denied signal 9 out of chroot jail (09:02:1607928) of 0.0 by (jabberd:154) UID(1) EUID(1), parent (jabrun.sh:5123) UID(0) EUID(0) to (apache:17371) UID(33) EUID(33), parent (apache:7851) UID(0) EUID(0)

i assume that the kernel somehow isn't able to kill this process when grsecurity is enabled, and therefore tries to kill other processes.

i have disabled chroot_restrict_sigs some days ago, and didn't have the same problem until now...

cu
/gst
gst
 
Posts: 1
Joined: Thu Aug 08, 2002 4:15 pm

Postby spender » Mon Sep 09, 2002 2:58 pm

try a new version of grsecurity. I was able to replace several of the features with one single feature...the "protect outside processes" chroot feature.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development