attempted resource overstep

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Postby PaX Team » Wed Apr 02, 2003 6:38 pm

supermike wrote:I knew you were going to ask that :)
Ok, already re-enabled randomization and it now fails again:
ok, i'm confused now ;-). first you said that you'd disabled all but PaX in the kernel and it worked, and now you say that you re-enabled randomizaton (wasn't it already enabled?) and it fails... so can you summarize what PaX/grsec options were enabled in the kernel and on java and what worked/failed (something like a simple table would make it clear)?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby supermike » Wed Apr 02, 2003 6:44 pm

Sorry, I meant I did as you suggested, disabled all but PAX, then also disabled randomization. After enabling the randomization options it failed.

Now I have re-enabled all my previous grsec options and PAX, but without the randomization and it works.
So the problem is caused by one or more of:
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
supermike
 
Posts: 13
Joined: Fri Sep 20, 2002 9:59 pm
Location: Vancouver, BC

Postby PaX Team » Wed Apr 02, 2003 6:47 pm

supermike wrote:Now I have re-enabled all my previous grsec options and PAX, but without the randomization and it works.
So the problem is caused by one or more of:
CONFIG_GRKERNSEC_PAX_ASLR=y
CONFIG_GRKERNSEC_PAX_RANDKSTACK=y
CONFIG_GRKERNSEC_PAX_RANDUSTACK=y
CONFIG_GRKERNSEC_PAX_RANDMMAP=y
so then it's at most 3 kernel recompilations and we'd know for sure... would you mind? ;-)
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby supermike » Wed Apr 02, 2003 6:59 pm

jeez I need a faster compter :(

well, a good guess:
disabled only CONFIG_GRKERNSEC_PAX_RANDUSTACK and it's still working :)
supermike
 
Posts: 13
Joined: Fri Sep 20, 2002 9:59 pm
Location: Vancouver, BC

Postby PaX Team » Wed Apr 02, 2003 7:31 pm

supermike wrote:disabled only CONFIG_GRKERNSEC_PAX_RANDUSTACK and it's still working :)
so it must be RANDMMAP then. can you run java and the other one through strace -f -F and send the output in email please?
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby MJatIFAD » Sat Jan 03, 2004 12:06 pm

I too get the grsec attempted resource overstep with java using an off the shelf Mandrake 9.2 secure kernel 2.4.22-21mdk. The symptoms described in this thread sum up my problem very well. I am not an expert and I had difficulties to understand what the fix for the problem is, but as far as I understood I need to rebuild the kernel with the grsec patch and CONFIG_GRKERNSEC_PAX_RANDUSTACK disabled. Is this correct or is there a simpler solution?
MJatIFAD
 
Posts: 5
Joined: Wed Oct 29, 2003 5:54 pm

Postby MJatIFAD » Sun Jan 04, 2004 8:45 am

Rebuild the kernel with CONFIG_GRKERNSEC_PAX_RANDUSTACK and it seemed to have some effect, but not enough to remove the "grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0" error. Previously no java processes were started when I started tomcat but now some do get to live without the parent process, which is still killed. I also tried to disable CONFIG_GRKERNSEC_PAX_RANDMMAP without effect. I guess my problems are not exactly the same. What do I try next?
:-?
MJatIFAD
 
Posts: 5
Joined: Wed Oct 29, 2003 5:54 pm

Postby MJatIFAD » Sun Jan 04, 2004 9:16 pm

It seems that the grsecurity version in Mandrake 9.2 with the kernel source distribution 2.4.22-21mdk is different than the one previously discussed in this thread. I found that the compile options in the .config file were named differently, which I did not notice earlier because I use xconfig to disable/enable them, and here they have other but similar display names.

However, I found out that I had to disable the compile option CONFIG_GRKERNSEC_PROC_MEMMAP to get rid of my Java problem, but I now discovered other grsec errors on kdeinit, cleanup and procmail. In these cases it is hard to tell whether it has some visible effect on my system workings. It seems to me that the grsecurity patch in Mandrake 9.2 with the kernel source distribution 2.4.22-21mdk is not working very well with many standard system parts. Maybe I should try another kernel source distribution or maybe just I need to add some extra acl definitions? I am still new to this stuff, so I would apreciate if someone could give me some feedback on this.

:-?
MJatIFAD
 
Posts: 5
Joined: Wed Oct 29, 2003 5:54 pm

Postby PaX Team » Tue Jan 06, 2004 5:49 am

MJatIFAD wrote:Maybe I should try another kernel source distribution or maybe just I need to add some extra acl definitions? I am still new to this stuff, so I would apreciate if someone could give me some feedback on this.
what you should try is always the latest vanilla kernel and grsecurity. if that still gives you problems, then post as much info as you can find out, among others your .config, your ACLs, your relevant logs, etc.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Previous

Return to grsecurity support