Tried upgrading from hardened 4.3.4 to 4.8.11 and I got a panic on boot. After inspection of my kernel config, it would seem that enabling grsec also enables the new in-kernel HARDENED_USERCOPY, the one provided by grsec was disabled on my 4.3.4 config. Since the option is hidden and enabled by enabling grsec itself, I can't turn it off, so I can't boot a new kernel if I'm using zfs. A screenshot with the panic - http://i.imgur.com/GJza8rL.jpg 4.3.4 config - https://paste.pound-python.org/show/0msGOEagGFI5M4YXa7WK/ 4.8.11 config - https://paste.pound-python.org/show/O0a4F1RN2CJwl6gZCYPQ/ diff of the configs - https://www.diffchecker.com/IT899b1l Bug also filed over on the zfs github - https://github.com/zfsonlinux/zfs/issues/5468 Thanks
Did you apply any extra patches to =sys-kernel/hardened-sources-4.8.11?
Not that I know of. This was a direct upgrade by installing the ebuild, copying the 4.3.4 /proc/config.gz to .config, and running make. Thanks
(In reply to Chris Henhawke from comment #2) > Not that I know of. This was a direct upgrade by installing the ebuild, > copying the 4.3.4 /proc/config.gz to .config, and running make. > > Thanks okay i'll pass this along to the pax/grsec team. also, you should really upload your config files to the bug and not pastebin them because pastebins go away and we want to have all the records remain intact.
Created attachment 456894 [details] 4.3.4 config
Created attachment 456896 [details] 4.8.11 config
I'm going to close this as I was also having problems upgrading to hardened 4.7 and 4.4, and I've since been able to boot into hardened 4.4. It might be possible I was doing something wrong.
what we would need is dmesg as your screenshot is just missing the lines where USERCOPY reported the slab cache name that was caught during a usercopy operation. my guess is that one/some of zfs's own slabs should be created via kmem_cache_create_usercopy/KMEM_CACHE_USERCOPY instead of kmem_cache_create/KMEM_CACHE. as for disabling HARDENED_USERCOPY, i think it's caused by the def_bool in security/Kconfig, the following patch should fix it: --- a/security/Kconfig 2017-01-01 23:37:07.038614134 +0100 +++ b/security/Kconfig 2017-01-15 11:49:38.737320407 +0100 @@ -913,7 +913,7 @@ copy_to_user() and copy_from_user(). config HARDENED_USERCOPY - def_bool y + bool select BUG if BROKEN_SECURITY config HARDENED_USERCOPY_PAGESPAN
I'll pass that along to the ZFS folks, but unfortunately I can't keep rebooting that machine for testing, so hopefully someone else can pick up where I left off. https://github.com/zfsonlinux/zfs/issues/5468
Closing stale bug as CANTFIX since hardened-sources has been removed from portage.