libffi segfault with grsec mprotect
I’m having issues running salt minion with an LXC container running Alpine. The host is running Arch with a grsec kernel.
Here are the kernel options concerning PAX:
CONFIG_PAX_PER_CPU_PGD=y
- PaX
CONFIG_PAX=y - PaX Control
CONFIG_PAX_SOFTMODE=y - CONFIG_PAX_EI_PAX is not set
- CONFIG_PAX_PT_PAX_FLAGS is not set
CONFIG_PAX_XATTR_PAX_FLAGS=y - CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y - CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y - CONFIG_PAX_MPROTECT_COMPAT is not set
- CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN=y - CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
CONFIG_PAX_CONSTIFY_PLUGIN=y - CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_SIZE_OVERFLOW_EXTRA=y
CONFIG_PAX_INITIFY=y
CONFIG_HAVE_PAX_INITIFY_INIT_EXIT=y - CONFIG_PAX_INITIFY_VERBOSE is not set
- CONFIG_PAX_LATENT_ENTROPY is not set
CONFIG_PAX_RAP=y
Here’s the logging for grsec:
Jan 13 19:18:15 bollo kernel: grsec: denied RWX mmap of
by /usr/bin/salt-minion[salt-minion:14566]
uid/euid:1100000/1100000 gid/egid:1100000/1100000, parent
/bin/busybox[ash:10767] uid/euid:1100000/1100000
gid/egid:1100000/1100000
Jan 13 19:18:16 bollo kernel: grsec: denied RWX mmap of
by /usr/bin/salt-minion[salt-minion:14569]
uid/euid:1100000/1100000 gid/egid:1100000/1100000, parent
/usr/bin/salt-minion[salt-minion:14566] uid/euid:1100000/1100000
gid/egid:1100000/1100000
Jan 13 19:18:16 bollo kernel: salt-minion[14569]: segfault at 0 ip
00000379af491f83 sp 000003d52181b098 error 6 in
libffi.so.6.0.4[379af48d000+206000]
Jan 13 19:18:16 bollo kernel: grsec: Segmentation fault occurred at
(nil) in /usr/bin/salt-minion[salt-minion:14569]
uid/euid:1100000/1100000 gid/egid:1100000/1100000, parent
/usr/bin/salt-minion[salt-minion:14566] uid/euid:1100000/1100000
gid/egid:1100000/1100000
Jan 13 19:18:16 bollo kernel: grsec: mount of none to / by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of /boot to /boot by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of /etc to /etc by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of /usr to /usr by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of none to /boot by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of none to /etc by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of none to /usr by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: mount of none to / by
/usr/lib/systemd/systemd[(coredump):14591] uid/euid:0/0 gid/egid:0/0,
parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
Jan 13 19:18:16 bollo kernel: grsec: bruteforce prevention initiated for
the next 30 minutes or until service restarted, stalling each fork 30
seconds. Please investigate the crash report for
/usr/bin/salt-minion[salt-minion:14569] uid/euid:1100000/1100000
gid/egid:1100000/1100000, parent
/usr/bin/salt-minion[salt-minion:14566] uid/euid:1100000/1100000
gid/egid:1100000/1100000
Looking around (https://bitbucket.org/cffi/cffi/issues/177/foo-segfaults-with-grsec-denied-rwx-mmap https://bugs.gentoo.org/show\_bug.cgi?id=525494) I can see that enabling emutramp or disabling mprotect is the solution here. Emutramp is enabled for the Alpine package (http://git.alpinelinux.org/cgit/aports/tree/main/libffi/APKBUILD) so I’m a little perplexed as to why this is happening. It works absolutely fine with softmode on, but keeping it on is undesirable.
When I have time, I can verify this with a non-LXC environment and an Alpine grsec kernel, but it would be super cool if someone could confirm this for me and possibly look into this.
(from redmine: issue id 6686, created on 2017-01-14)