2.6.11.9-grsec and snort

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

2.6.11.9-grsec and snort

Postby muaddib » Tue May 31, 2005 10:20 am

Hi all, i've upgraded one of my snort-boxes with 2.6.11.9-grsec
However, here is the log result when i try to launch snort

May 31 16:41:47 s3 kernel: BUG: using smp_processor_id() in preemptible [00000001] code: snort/1894
May 31 16:41:47 s3 kernel: caller is gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0242fd7>] smp_processor_id+0x97/0xa8
May 31 16:41:47 s3 kernel: [<c0237eb6>] gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0237eb6>] gr_handle_sysctl+0x2f/0x37b
May 31 16:41:47 s3 kernel: [<c0393740>] _spin_lock+0xe/0x70
May 31 16:41:47 s3 kernel: [<c0393a60>] _spin_unlock+0xd/0x21
May 31 16:41:47 s3 kernel: [<c017cb87>] do_no_page+0x182/0x325
May 31 16:41:47 s3 kernel: [<c0147f2f>] do_page_fault+0x0/0x62e
May 31 16:41:47 s3 kernel: [<c01370eb>] error_code+0x2b/0x30
May 31 16:41:47 s3 kernel: [<c0155245>] parse_table+0x14f/0x199
May 31 16:41:47 s3 kernel: [<c0154fdc>] do_sysctl+0x9c/0xdd
May 31 16:41:47 s3 kernel: [<c015507f>] sys_sysctl+0x62/0x72
May 31 16:41:47 s3 kernel: [<c0147f2f>] do_page_fault+0x0/0x62e
May 31 16:41:47 s3 snort: Error: Could not allocate shared memory: Permission denied
May 31 16:41:47 s3 kernel: [<c0136037>] syscall_call+0x7/0xb
May 31 16:41:47 s3 snort: FATAL ERROR: OpenPcap() device eth0 open: malloc: Invalid argument
May 31 16:41:47 s3 kernel: grsec: From 172.19.54.21: (default:D:/usr/local/bin/snort) denied executable mmap of socket:[18287] by /usr/local/bin/snort[snort:1894] uid/euid:0/0 gid/egid:0/0, parent /sbin/initlog[initlog:1359] uid/euid:0/0 gid/egid:0/0


I'm wondering if it's a grsec bug or only misconfigured policy
I can obtain the "kernel: BUG: using smp_processor_id()" and following lines with a simple snort -V

The snort error about shared memory happens when i launch the process

Here is my snort extract from policy file (learning didn't help)
subject /usr/local/bin/snort OM{
user_transition_allow root
group_transition_allow root
/var/log/snort rcw
/var/run dw
/dev/log rcwx
/dev/null rw
/dev/urandom r
/etc/snort rwx
/lib rx
/usr/lib rx
/proc/net/dev r
/proc/sys/kernel/ngroups_max r
/proc/sys/kernel/version r
/usr/local/bin/snort x

connect A.B.C.D/32:5432 stream tcp
bind 0.0.0.0/32:0 dgram ip

+CAP_NET_RAW
+CAP_DAC_OVERRIDE
+CAP_SETGID
+CAP_SETUID
}

I'm desperate, it seems to me i've tried everything in this policy to make it works......
muaddib
 
Posts: 11
Joined: Fri Jan 30, 2004 11:59 am

Re: 2.6.11.9-grsec and snort

Postby PaX Team » Thu Jun 02, 2005 2:00 pm

muaddib wrote:I'm desperate, it seems to me i've tried everything in this policy to make it works......
i guess you have preempt on, disable it for now.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby muaddib » Fri Jun 03, 2005 8:00 am

Ok i did it and built a new kernel , message : "BUG: using smp_processor_id() in preemptible" events do not appear

But the problem is still present: "s3 kernel: grsec: From A.B.C.D: (default:D:/usr/local/bin/snort) denied executable mmap of socket:[18287] by /usr/local/bin/snort[snort:1894] uid/euid:0/0 gid/egid:0/0, parent /sbin/initlog[initlog:1359] uid/euid:0/0 gid/egid:0/0 "

I detail next steps in post http://forums.grsecurity.net/viewtopic.php?t=1218 (mmaped libpcap supported) cos it's the same issue
muaddib
 
Posts: 11
Joined: Fri Jan 30, 2004 11:59 am


Return to RBAC policy development

cron