[grsec] problems with latest 38.3 patch

Brad Spengler spender at grsecurity.net
Thu Apr 21 17:43:52 EDT 2011 

You're seeing these messages now because up until now you didn't read 
the configuration help ;)  See this post:
http://forums.grsecurity.net/viewtopic.php?f=3&t=2603

You may also need to run execstack -c (from the prelink package) on the 
libraries that cause errors when loading.  The firefox issue is a known
upstream bug:
https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Application-specific_Settings#Firefox_.28or_Iceweasel_with_Debian.29
"Firefox >= 3.5 may need RANDMMAP to be disabled, if not it will enter 
in an infinite loop during startup. To disable, execute paxctl -r 
/firefox_binary. Usually the binary is somewhere in 
/usr/lib64/*firefox*. See http://bugs.gentoo.org/show_bug.cgi?id=278698 
for more details."

-Brad

On Thu, Apr 21, 2011 at 05:17:50PM -0300, Carlos Carvalho wrote:
> With 2.2.2-2.6.38.3-201104201821.patch and Debian I'm getting nasty
> errors from web browsers.
> 
> First, with FF 3.5 in Debian, it gets stuck in an infinite loop at
> startup consuming 100% cpu. strace of some seconds produced 600,000+
> lines of which almost all are:
> 
>  150049 mmap2(0xad000000, 1048576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xad057000
>  150049 mmap2(NULL, 2097152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xacf57000
>  150049 munmap(0xacf57000, 2097152)             = 0
>  150051 munmap(0xad057000, 1048576)             = 0
> 
> Next I tried vanilla FF 3.5 and 3.6. Both give
> 
> ./firefox-bin: error while loading shared libraries: ./libxul.so: cannot make segment writable for relocation: Permission denied
> 
> Then I tried Debian chromium, which produces
> 
> /usr/lib/chromium-browser/chromium-browser: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted
> 
> Without grsec 38.3 works as usual. This is without KERN_LOCKOUT.
> 
> Is it possible to get the browsers running with the new grsec?
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://grsecurity.net/pipermail/grsecurity/attachments/20110421/00a6b018/attachment.pgp>

More information about the grsecurity mailing list