Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 500514 - sys-cluster/ceph-0.72.2 does not run on hardened kernel due MPROTECT
Summary: sys-cluster/ceph-0.72.2 does not run on hardened kernel due MPROTECT
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-06 13:44 UTC by Deniss Gaplevsky
Modified: 2014-02-20 10:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Deniss Gaplevsky 2014-02-06 13:44:13 UTC 
following warnings produced on hardened system with sys-libs/glibc-2.17 & sys-devel/gcc-4.7.3-r1
 * QA Notice: The following files contain writable and executable sections
 *  Files with such sections will not work properly (or at all!) on some
 *  architectures/operating systems.  A bug should be filed at
 *  http://bugs.gentoo.org/ to make sure the issue is fixed.
 *  For more information, see http://hardened.gentoo.org/gnu-stack.xml
 *  Please include the following list of files in your report:
 *  Note: Bugs should be filed for the respective maintainers
 *  of the package in question and not hardened@g.o.
 * RWX --- --- usr/bin/ceph-mds
 * RWX --- --- usr/bin/ceph-mon
 * RWX --- --- usr/bin/ceph-osd
 * RWX --- --- usr/bin/ceph-syn
 * RWX --- --- usr/bin/ceph-authtool
 * RWX --- --- usr/bin/crushtool
 * RWX --- --- usr/bin/ceph_filestore_dump
 * RWX --- --- usr/bin/ceph_filestore_tool
 * RWX --- --- usr/bin/ceph_mon_store_converter
 * RWX --- --- usr/bin/ceph-conf
 * RWX --- --- usr/bin/ceph-dencoder
 * RWX --- --- usr/bin/osdmaptool
 * RWX --- --- usr/bin/monmaptool
 * RWX --- --- usr/lib64/libcephfs.so.1.0.0
 * RWX --- --- usr/lib64/librados.so.2.0.0

hardned kernel kills all binaries linked to librados.so with 
6 12:28:05 box1 kernel: grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/ceph-conf[ceph-conf:2171] uid/euid:0/0 gid/egid:0/0, parent /usr/lib64/ceph/ceph_init.sh[ceph_init.sh:2170] uid/euid:0/0 gi
unless mprotect is disabled on the binary

Reproducible: Always

Steps to Reproduce:
1. setup hardened gentoo with grsec (MPROTECT) enabled
2. compile sys-cluster/ceph-0.72.2
3. run /usr/bin/crushtool
4.
Actual Results:  
grsec kills the process

Expected Results:  
run flawless
Comment 1 Deniss Gaplevsky 2014-02-07 08:26:52 UTC 
indeed this bug is blocker for ceph on hardened systems
Comment 2 Deniss Gaplevsky 2014-02-12 09:07:48 UTC 
i did upgrade of another gentoo box and noticed that emerge -u1DN world (with implies gcc/glibc upgrade) does not break ceph while emerge -e afterward leads to the problem
Comment 3 Yixun Lan archtester gentoo-dev 2014-02-20 10:20:58 UTC 
+*ceph-0.77 (20 Feb 2014)
+*ceph-0.72.2-r3 (20 Feb 2014)
+*ceph-0.67.7 (20 Feb 2014)
+
+  20 Feb 2014; Yixun Lan <dlan@gentoo.org> -ceph-0.67.5-r2.ebuild,
+  +ceph-0.67.7.ebuild, -ceph-0.72.2-r2.ebuild, +ceph-0.72.2-r3.ebuild,
+  -ceph-0.75.ebuild, +ceph-0.77.ebuild, +files/ceph-fix-gnustack.patch:
+  bump 0.67.7, 0.77, drop old; fix bug #500514, #500974