Some days ago i turned on grsec & pax in gentoo-sources-2.4.26-r9, and built a PIE/SSP Enabled Userland accprding to; http://www.gentoo.org/proj/en/hardened/docs/pax-howto.xml#doc_chap5 - with one difference, i haven't ran emerge -e world, i ran emerge -uD world instead, which worked fine until it came to this point; install -D --owner 0 --group 0 --mode a=rx proc/libproc-3.2.3.so /var/tmp/portage/procps-3.2.3-r1/image//lib/libproc-3.2.3.so ldconfig install -D --owner 0 --group 0 --mode a=rx ps/ps /var/tmp/portage/procps-3.2.3-r1/image//bin/ps make: *** [/var/tmp/portage/procps-3.2.3-r1/image//bin/ps] Illegal instruction !!! ERROR: sys-apps/procps-3.2.3-r1 failed. !!! Function einstall, Line 385, Exitcode 2 !!! einstall failed and in /var/log/messages i get; grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/install[install:1745] uid/euid:0/0 gid/egid:0/0 Now the fun begins; every command i try to run now results in the answer; Illegal instruction. after i reset i get to the passwordprompt for the cryptoroot, enter the pass and press enter and it spits out the standar reiserfs-mounted-stuff, and then; Pivoting to encrypted root completed successfully. And there it stops, it responds to keyboard, but it just doesn't do anymore. I have to reboot into knoppix, mount the drive & unpack a glibc-package from another computer on the drive. before unpacking strace chroot /mnt/hda2 gives; fstat54(3, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 close(3) = 0 --- SIGILL (Illegal instruction) @ 0 (0) --- +++ killed by SIGILL +++ after unpacking it works to chroot, and after reboot the system boots nicely after rootcryptopasswd.. if i try to emerge procps again, the same thing happens Reproducible: Always Steps to Reproduce: 1. install gentoo-sources 2. USE="hardened" emerge bintuils gcc glibc 3. emerge procps Actual Results: See details. Is it due to gentoo-sources instead of recommended hardened or grsec? Or is it due to not running emerge -e world? I see now that it says "To maintain a consistant toolchain, first emerge bintuils gcc glibc. Next, rebuild the entire system with emerge -e world." - should that be interpreted as "You have to do 1) and 2) to fix toolchain"? it WILL take ages to build all from scratch on this poor pentium;) Expected Results: install smooothly:) Gentoo Base System version 1.4.16 Portage 2.0.50-r11 (default-x86-2004.2, gcc-3.3.4, glibc-2.3.3.20040420-r1,2.3.3.20040420-r0, 2.4.26-gentoo-r9) ================================================================= System uname: 2.4.26-gentoo-r9 i586 Pentium MMX distcc 2.16 i386-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] Autoconf: sys-devel/autoconf-2.59-r4 Automake: sys-devel/automake-1.8.5-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium -fomit-frame-pointer" CHOST="i386-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs ccache distcc sandbox" GENTOO_MIRRORS="ftp://mirror.pudas.net/gentoo" MAKEOPTS="-j1" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" USE="apm arts avi berkdb bitmap-fonts crypt cups distcc encode extensions foomaticdb gdbm gif gpm gtk2 hardened imlib ipv6 jpeg kde libg++ libwww mad mikmod motif mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell ssl svga tcpd truetype x86 xml2 xmms xprint xv zlib"
okey, just to rule out problems, i made an emerge -w world which now stopped in gcc-config-1.3.6-r1 with; /usr/sbin/ebuild.sh: line 1444: 4606 Done set 4607 Illegal instruction | egrep -v "^SANDBOX_" > "${T}/enviroment" 2>/dev/null /usr/sbin/ebuild.sh: line 1444: 4608 Illegal instruction chown portage:portage "${T}/enviroment" >&/dev/null /usr/sbin/ebuild.sh: line 1445: 4609 Illegal instruction chmod g+w "${T}/enviroment" >&/dev/null /usr/sbin/ebuild.sh: line 1445: 4610 Illegal instruction tocuh "${T}/successful" >&/dev/null /usr/sbin/ebuild.sh: line 1446: 4611 Illegal instruction chown portage:portage "${T}/successful" >&/dev/null /usr/sbin/ebuild.sh: line 1447: 4612 Illegal instruction chmod g+w "${T}/successful" >&/dev/null >>> Regenerating /etc/ld.so.cache >>> sys-devel/gcc-config-1.3.6-r1 merged. >>> Recording sys-devel/gcc-config in "world" facorites file... root # ls Illegal instruction root # ie. same thing happens here
emerge -e world, not -w
here's syslog for the last one (gcc-config); grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/bash[bash:4604] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/portage/bin/env-update[env-update:4599] uid/euid:0/0 gid/egid:0/0 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/grep[grep:4607] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/portage/bin/ebuild.sh[env-update:4505] uid/euid:0/0 gid/egid:0/0 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/chown[grep:4608] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/portage/bin/ebuild.sh[env-update:4505] uid/euid:0/0 gid/egid:0/0 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/chmod[chmod:4609] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/portage/bin/ebuild.sh[env-update:4505] uid/euid:0/0 gid/egid:0/0 grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/touch[grep:4610] uid/euid:0/0 gid/egid:0/0, parent /usr/lib/portage/bin/ebuild.sh[env-update:4505] uid/euid:0/0 gid/egid:0/0 grsec: more alerts, logging disabled for 10 seconds grsec: attempted resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 by /bin/ls[ls:4616] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:12094] uid/euid:0/0 gid/egid:0/0
now a simple env-update after boot triggers this
Is this still a problem? anybody else having this exact same problem?
Yup, still a problem, the computer stands here in a corner awaiting attention.. was thinking about tarring down content of the drive if anyone wants more info about it.. i need to use the box soon.
well it looks like you built it from scratch using invalid configuration your CHOST is i386 but your CFLAGS say i686+ this is known to not work