relay-ctrl-chdir uses a function which tries to move a given file descriptor to highest available slot. This uses a loop which ends when dup2() function returns an error - this way the loop will end as soon as dup2() function tries to overstep limit of opened files in system (RLIMIT_NOFILE). In a hardened kernel, with logging enabled, there are lots of messages like this: grsec: denied resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 for /usr/bin/relay-ctrl-chdir[relay-ctrl-chdi:3776] uid/euid:89/89 gid/egid:89/89, parent /usr/lib64/courier-imap/couriertcpd[couriertcpd:2370] uid/euid:0/0 gid/egid:0/0 In a normal kernel, it is probably not noticeable. I wrote a simple patch for checking against RLIMIT_NOFILE to end the loop before overstepping the limit - this stopped the log flood, although I am not sure if the patch is written cleanly enough (maybe the function should be rewritten) - anyway, please see the attachment. Cheers, Pawel Reproducible: Always Steps to Reproduce: 1. Use relay-ctrl for SMTP relay control and grsecurity kernel 2. Have relay-ctrl-chdir invoked 3. Observe a warning in dmesg Actual Results: The following warning is produced: grsec: denied resource overstep by requesting 1024 for RLIMIT_NOFILE against limit 1024 for /usr/bin/relay-ctrl-chdir[relay-ctrl-chdi:3776] uid/euid:89/89 gid/egid:89/89, parent /usr/lib64/courier-imap/couriertcpd[couriertcpd:2370] uid/euid:0/0 gid/egid:0/0 Expected Results: There should be no warning (so there should be no cause for it).
Created attachment 256688 [details, diff] Proposed patch for fixing the issue
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=160ea25bdf79c86107ac0659146db4e76c4b5166 commit 160ea25bdf79c86107ac0659146db4e76c4b5166 Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2020-05-31 04:41:34 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2020-05-31 04:46:52 +0000 net-mail/relay-ctrl: fix grsec RLIMIT_NOFILE overstep Closes: https://bugs.gentoo.org/348203 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> .../files/relay-ctrl-3.1.1-NOFILE-overstep.patch | 25 ++++++++++++++++++++++ net-mail/relay-ctrl/relay-ctrl-3.1.1-r3.ebuild | 1 + 2 files changed, 26 insertions(+)