With grsecurity enabled in the kernel (see below for config) While running privoxy, webpages aren't provided to the client browser (in 3.0.* versions) or it is extremely slow (2.9.14_beta). Instead the following is entered in the log file: Privoxy(16384) Error: can't fork: Interrupted system call and spits out the following to the web browser: Privoxy: can't fork: errno = 4 GRSECURITY KERNEL CONFIG: # Grsecurity # CONFIG_GRKERNSEC=y # CONFIG_GRKERNSEC_LOW is not set # CONFIG_GRKERNSEC_MID is not set # CONFIG_GRKERNSEC_HI is not set CONFIG_GRKERNSEC_CUSTOM=y # # Address Space Protection # CONFIG_GRKERNSEC_PAX_NOEXEC=y # CONFIG_GRKERNSEC_PAX_PAGEEXEC is not set CONFIG_GRKERNSEC_PAX_SEGMEXEC=y # CONFIG_GRKERNSEC_PAX_EMUTRAMP is not set # CONFIG_GRKERNSEC_PAX_MPROTECT is not set CONFIG_GRKERNSEC_PAX_ASLR=y CONFIG_GRKERNSEC_PAX_RANDKSTACK=y CONFIG_GRKERNSEC_PAX_RANDUSTACK=y CONFIG_GRKERNSEC_PAX_RANDMMAP=y # CONFIG_GRKERNSEC_PAX_RANDEXEC is not set CONFIG_GRKERNSEC_KMEM=y CONFIG_GRKERNSEC_IO=y CONFIG_RTC=y # CONFIG_GRKERNSEC_PROC_MEMMAP is not set # CONFIG_GRKERNSEC_HIDESYM is not set # # ACL options # CONFIG_GRKERNSEC_ACL_HIDEKERN=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 # # Filesystem Protections # CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=yCONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_CHROOT=y CONFIG_GRKERNSEC_CHROOT_MOUNT=y CONFIG_GRKERNSEC_CHROOT_DOUBLE=y CONFIG_GRKERNSEC_CHROOT_PIVOT=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y CONFIG_GRKERNSEC_CHROOT_CHMOD=y CONFIG_GRKERNSEC_CHROOT_FCHDIR=y CONFIG_GRKERNSEC_CHROOT_MKNOD=y CONFIG_GRKERNSEC_CHROOT_SHMAT=y CONFIG_GRKERNSEC_CHROOT_UNIX=y CONFIG_GRKERNSEC_CHROOT_FINDTASK=y CONFIG_GRKERNSEC_CHROOT_NICE=y CONFIG_GRKERNSEC_CHROOT_SYSCTL=y CONFIG_GRKERNSEC_CHROOT_CAPS=y # # Kernel Auditing # # CONFIG_GRKERNSEC_AUDIT_GROUP is not set # CONFIG_GRKERNSEC_EXECLOG is not set CONFIG_GRKERNSEC_RESLOG=y # CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set # CONFIG_GRKERNSEC_AUDIT_CHDIR is not set CONFIG_GRKERNSEC_AUDIT_MOUNT=y CONFIG_GRKERNSEC_AUDIT_IPC=y CONFIG_GRKERNSEC_SIGNAL=y CONFIG_GRKERNSEC_FORKFAIL=y CONFIG_GRKERNSEC_TIME=y # # Executable Protections # CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDPID=y CONFIG_GRKERNSEC_TPE=y # CONFIG_GRKERNSEC_TPE_ALL is not set CONFIG_GRKERNSEC_TPE_GID=2005 # # Network Protections # CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_RANDISN=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_RANDSRC=y CONFIG_GRKERNSEC_RANDRPC=y CONFIG_GRKERNSEC_RANDPING=y CONFIG_GRKERNSEC_SOCKET=y CONFIG_GRKERNSEC_SOCKET_ALL=y CONFIG_GRKERNSEC_SOCKET_ALL_GID=2004 CONFIG_GRKERNSEC_SOCKET_CLIENT=y CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=2003 CONFIG_GRKERNSEC_SOCKET_SERVER=y CONFIG_GRKERNSEC_SOCKET_SERVER_GID=2002 # # Sysctl support # # CONFIG_GRKERNSEC_SYSCTL is not set # # Logging options # CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 Reproducible: Always Steps to Reproduce: 1. enable Grsecurity in your kernel 2. emerge privoxy 3. run privoxy Actual Results: the following is entered in the log file: Privoxy(16384) Error: can't fork: Interrupted system call and spits out the following to the web browser: Privoxy: can't fork: errno = 4 Expected Results: Privoxy is supposed to work i.e: provide filtered web content to the client browser. Portage 2.0.47-r10 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4) ================================================================= System uname: 2.4.20-gentoo-r2 i686 Pentium III (Katmai) GENTOO_MIRRORS="http://gentoo.oregonstate.edu/ http://distro.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="" USE="x86 3dnow crypt encode gif imlib jpeg kde libg++ mmx motif ncurses nls pdflib png spell xml2 zlib gdbm slang readline tcpd pam libwww ssl perl python acl acpi -apm -arts -avi -berkdb cups -gnome -gpm -gtk imap -java mbox -mikmod -mpeg mysql -oggvorbis -opengl -oss -qt -quicktime samba scanner -sdl -selinux slp sse -svga -truetype -X -xmms -xv" COMPILER="gcc3" CHOST="i686-pc-linux-gnu" CFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer" CXXFLAGS="-march=pentium3 -O3 -pipe -fomit-frame-pointer" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="no" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage/" FEATURES="ccache sandbox userpriv usersandbox"
below it shows gentoo-sources-2.4.20-r2... did you try gentoo-sources-2.4.20-r5? Thanks, Jay
Yes I tried 2.4.20-gentoo-r5, r4 and r2. The emerge info was just from an r2 kernel. I also compiled r5 without any grsecurity stuff and the problem with privoxy was gone. Stephan
Added iggy to spam list. I think he wants grsecurity out of gentoo-sources. Stephan, please try the latest kernel and reopen this bug if the problem persists. Also try hardened-sources if you need grsecurity.
If disabling grsec fixes the problem, I'd say it's an overzealous grsec setup. Maybe you should try disabling some of the grsec features. Also acooks suggestion to use hardened-sources should have been grsec-sources.
