I have found 2 problems with erlang running on hardened profile. 1. http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Sysfs.2Fdebugfs_restriction prevent you from running erlang code as non-root Its hard to detect, but erlang application has problems to read files from FS as result. Typicaly riak wont be able to read its config file on startup followed by segfault from Erlang saying "error in reading /etc/riak/app.config" it seems to be rather feature hardened kernel that bug 2. beam.smp doesnt work properly until you disable mprotect paxctl -m /usr/lib64/erlang/erts-5.9/bin/beam.smp should be part of the ebuild or ebuild info For other application that install its own erlang, i.e. riak it must be done again. paxctl -m /usr/lib64/riak/erts-5.9/bin/beam.smp Reproducible: Always denied RWX mmap of <anonymous mapping> by /usr/lib64/riak/erts-5.9/bin/beam.smp[beam.smp:5119] uid/euid:106/106 gid/egid:118/118, parent /usr/lib64/riak/erts-5.9/bin/run_erl[run_erl:4914] uid/euid:106/106 gid/egid:118/118
(In reply to comment #0) > 2. beam.smp doesnt work properly until you disable mprotect What do you mean by "not properly"? > paxctl -m /usr/lib64/erlang/erts-5.9/bin/beam.smp should be part of the Are you using erlang-15.2 (R15B)? Please consider updating to erlang-15.2.2 (R15B02). I'm using erlang here on my machine (which's running a hardened-sources kernel) for a while, without major problems.
Oh, and one thing: Are you using hipe (useflag +hipe)? In this case, try to disable that. It seems to be using some jit techniques which don't work well on hardened systems...
(In reply to comment #0) > 1. > http://en.wikibooks.org/wiki/Grsecurity/Appendix/ > Grsecurity_and_PaX_Configuration_Options#Sysfs.2Fdebugfs_restriction > prevent you from running erlang code as non-root > Its hard to detect, but erlang application has problems to read files from > FS as result. > Typicaly riak wont be able to read its config file on startup followed by > segfault from Erlang saying "error in reading /etc/riak/app.config" > it seems to be rather feature hardened kernel that bug I /am/ able to access files from erlang (as long as I have read permissions on them, for sure) using erlang-15.2.2 and hardened-sources-3.5.4-r1 with CONFIG_GRKERNSEC_SYSFS_RESTRICT enabled.
This appears to be fixed in 15.2.2.