Created attachment 250421 [details]
strace gradm -E

Comment 2 Anthony Basile 2010-10-13 11:41:36 UTC

(In reply to comment #1)
> Created an attachment (id=250421) [details]
> strace gradm -E
> 

gradm-2.2.0.201009022049 is working for me with various hardened kernels on many systems.  A few things to check on your end.  If all of the following check out, then I investigate further.

1) Your profile is set to selinux/2007.0/x86/hardened.  It should be hardened/linux/amd64/10.0

2) Make sure you have RBAC enabled in the kernel

3) After booting into an RBAC enabled kernel, make sure you have the special device

    crw--w--w- 1 root root 1, 13 Oct  1 20:58 /dev/grsec

I noticed that your strace died right after trying to access that file.

Thanks for your support!

I use KVM.
This processor (inside KVM) does not support 64:

cat /proc/cpuinfo
processor       : 0
vendor_id       : AuthenticAMD
cpu family      : 6
model           : 3
model name      : 06/03
stepping        : 3
cpu MHz         : 2699.966
fdiv_bug        : no
hlt_bug         : no
f00f_bug        : no
coma_bug        : no
fpu             : yes
fpu_exception   : yes
cpuid level     : 4
wp              : yes
flags           : fpu de pse tsc msr pae mce cx8 apic sep pge cmov pat mmx fxsr sse sse2 pni popcnt hypervisor
bogomips        : 5399.93
clflush size    : 32
cache_alignment : 32
address sizes   : 36 bits physical, 32 bits virtual
power management:

I rebuilt my system with a profile:

[7]   hardened/linux/x86/10.0 *

The result is repeated.
Could this be due to the use of the KVM?

Comment 4 Anthony Basile 2010-10-21 10:32:42 UTC

> The result is repeated.
> Could this be due to the use of the KVM?
> 

I run many KVM instances, fully hardened, both amd64 and x86, and I have never seen gradm-2.2.0.201009022049 seg fault.  I have a system nearly identical to your emerge --info.  The only difference is that I use i686-pc-linux-gnu-4.3.4 rather than i686-pc-linux-gnu-4.3.4-hardenednopie.

I also realized that your strace probably died after reading /dev/grsec because you have CONFIG_GRKERNSEC_HARDEN_PTRACE=y enabled in the kernel.  If so, then this is to be expected, so the limited info from strace shows nothing wrong.  If you want more info from strace, you'll have to make sure this option is off.

I'm still not seeing what's causing this and I'm not able to reproduce it myself.  Here's some recommendations, but I can't say if any will help:

1) Rebuild your toolchain/system/world. Choose i686-pc-linux-gnu-4.3.4 unless you have good reason not to and then

   emerge gcc glibc binutils
   emerge -e system
   emerge -e world

2) Post your kernel config file so I can compare it to my kvm.

3) Compile the kernel with no ptrace hardening, repeat the strace and post the results.

Created attachment 251607 [details]
kernel config:

Thanks for your help!
Rebuilt system as you said.
The result was repeated.

Created attachment 251609 [details]
strace gradm -E

emerge --info
Portage 2.1.8.3 (hardened/linux/x86/10.0, gcc-4.3.4, glibc-2.11.2-r0, 2.6.35-hardened-r4 i686)
=================================================================
System uname: Linux-2.6.35-hardened-r4-i686-06-03-with-gentoo-1.12.13
Timestamp of tree: Fri, 22 Oct 2010 03:30:01 +0000
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    2.1
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
sys-devel/make:      3.81-r2
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA PUEL dlj-1.1 skype-eula cadsoft AdobeFlash-10 AdobeFlash-10.1"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="ru_RU.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /var/lib/layman/rion /var/lib/layman/mrcat /usr/local/overlays"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl apache2 auto-hinter berkdb btrfs bzip2 cairo cgi cleartype consolekit corefonts cracklib crypt cxx dbus device-mapper djvu dri dynamicplugin extras flash gd gdbm gdu gif gnome gpm gtk hal hardened histman iconv icq irc jabber java javascript jbig jpeg jpeg2k mmx modules mrim mudflap ncurses nls nptl nptlonly nsplugin openmp oscar pam pdf perl php pic png policykit posix postfix pppd python qt3support qt4 rar readline reiserfs samba spell sqlite sse sse2 ssl sysfs tcpd tiff truetype unicode urandom vkontakte x86 xml xorg yandexnarod zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 	emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m 	maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="ru en" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="cirrus" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 8 Anthony Basile 2010-10-28 17:57:42 UTC

I compared our kernel config files and I'm still not seeing what this could be. Can the reporter get me a backtrace using gdb.

Rebuilt the system worked. Thank you for your help! For KVM to disable in the kernel:
PAX_MEMORY_UDEREF
Cause of inoperability is not understood.

Comment 10 Anthony Basile 2010-11-10 11:49:57 UTC

(In reply to comment #9)
> Rebuilt the system worked. Thank you for your help! For KVM to disable in the
> kernel:
> PAX_MEMORY_UDEREF
> Cause of inoperability is not understood.
> 

I'm surprised this only affected gradm!  Look through the other bug reports assigned to hardened-kernel@gentoo.org, there are lots regarding hardened under KVM.