Created attachment 366312 [details] output of start-stop-daemon When I boot with the kernel without grsecurity, it works. When I boot with the same kernel with grsecurity it fails to start. dmesg/grsec.log/pax.log does not have any info about. Portage 2.2.7 (hardened/linux/amd64, gcc-4.7.3, glibc-2.16.0, 3.2.51-hardened-r2-xxxx-std-ipv6-64 x86_64) ================================================================= System uname: Linux-3.2.51-hardened-r2-xxxx-std-ipv6-64-x86_64-Intel-R-_Xeon-R-_CPU_E3-1245_V2_@_3.40GHz-with-gentoo-2.2 KiB Mem: 32860828 total, 32412604 free KiB Swap: 10239996 total, 10239996 free Timestamp of tree: Wed, 25 Dec 2013 18:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 app-shells/bash: 4.2_p45 dev-lang/python: 2.7.5-r3, 3.3.2-r2 dev-util/cmake: 2.8.11.2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.16.0 Repositories: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=core-avx-i -g0" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=core-avx-i -g0" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms sign split-log strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org http://mirrors.linuxant.fr/distfiles.gentoo.org/ http://mirror.ovh.net/gentoo-distfiles/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://gentoo.mirrors.ovh.net/gentoo-portage/" USE="acl amd64 berkdb bzip2 cli cracklib crypt cxx dri fpm gdbm hardened iconv ipv6 justify mmx modules multilib ncurses nptl openmp pam pax_kernel pcre readline session sse sse2 ssl tcpd threads unicode urandom zlib" ABI_X86="64" ELIBC="glibc" KERNEL="linux" LINGUAS="en en_GB" NGINX_MODULES_HTTP="auth_basic charset empty_gif fastcgi gzip memcached proxy referer rewrite scgi split_clients ssi upstream_ip_hash userid uwsgi access stub_status" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7 python3_3" PYTHON_TARGETS="python2_7 python3_3" USERLAND="GNU" USE_PYTHON="2.7 3.3"
Created attachment 366314 [details] strace -f
Created attachment 366316 [details] grsecurity kernel config I can reproduce this issue on more than one machine with the same grsec config.
You tripped CONFIG_GRKERNSEC_SYSFS_RESTRICT, with mongo::ProcessInfo::checkNumaEnabled. The only parts of sysfs allowed to non-root are: /sys/fs/selinux /sys/fs/fuse /sys/devices/system/cpu Either this needs to be selectable from outside, or the code needs to implement a different NUMA check. If you want to implement the NUMA check differently, I suggest scanning for an entry /sys/devices/system/cpu/cpu*/numa* where the last part is not numa0. You'll also later trip grsec with: - mongo::show_warnings (again to numa) - mongo::checkReadAhead (checking of block readahead)
Created attachment 366630 [details, diff] fix grsec/pax Hi, Please check that the attached patch does fix this problem, I'll then push it to tree. Thanks
(In reply to Ultrabug from comment #4) > Created attachment 366630 [details, diff] [details, diff] > fix grsec/pax > > Hi, > > Please check that the attached patch does fix this problem, I'll then push > it to tree. > > Thanks Against 3.4.8 it compiles but does not solve the issue.
(In reply to Agostino Sarubbo from comment #5) > (In reply to Ultrabug from comment #4) > > Created attachment 366630 [details, diff] [details, diff] [details, diff] > > fix grsec/pax > > > > Hi, > > > > Please check that the attached patch does fix this problem, I'll then push > > it to tree. > > > > Thanks > > Against 3.4.8 it compiles but does not solve the issue. 2.4.8
(In reply to Agostino Sarubbo from comment #6) > (In reply to Agostino Sarubbo from comment #5) > > (In reply to Ultrabug from comment #4) > > > Created attachment 366630 [details, diff] [details, diff] [details, diff] [details, diff] > > > fix grsec/pax > > > > > > > Against 2.4.8 it compiles but does not solve the issue. Then I'm afraid that [1] is not enough. Note that I had to do the patch myself since a lot of other stuff got modified in the way so I must have forgotten something in the patch. Do you see anything I missed maybe on your side ? [1] https://jira.mongodb.org/browse/SERVER-9248
To be sure you can you try to push the 2.5 version as masked and I can test it.
(In reply to Agostino Sarubbo from comment #8) > To be sure you can you try to push the 2.5 version as masked and I can test > it. It's done on my overlay (ultrabug). Please try from there, it's available on layman. Cheers
Any news on this? If it is likely to stay I may need to plan another box for mongo, or at least a chroot
(In reply to Bèrto 'd Sèra from comment #10) > Any news on this? If it is likely to stay I may need to plan another box for > mongo, or at least a chroot I'm afraid not, can any of you try with the brand new version 2.6.1 in tree please ?
Upstream finally fixed it (see https://jira.mongodb.org/browse/SERVER-9248) and I can confirm that it works on =dev-db/mongodb-2.4.10-r1.
(In reply to Ultrabug from comment #11) > I'm afraid not, can any of you try with the brand new version 2.6.1 in tree > please ? 2.6.1-r1 does not work for me. (In reply to Jakub Jirutka from comment #12) > Upstream finally fixed it (see https://jira.mongodb.org/browse/SERVER-9248) > and I can confirm that it works on =dev-db/mongodb-2.4.10-r1. 2.4.10-r1 does not work for me.
that's finally fixed for me. Closing.