[rsbac] kernel oops accessing /dev/log
Vincent Danen
vdanen at annvix.org
Thu Feb 9 17:28:38 CET 2006
* Amon Ott <ao at rsbac.org> [2006-02-09 08:39:34 +0100]:
> On Donnerstag 09 Februar 2006 02:15, Vincent Danen wrote:
> > > Hi everyone. I've got a bit of a problem with rsbac 1.2.5.1 and
> kernel
> > > 2.4.32. When I try to "ls /dev/log" or run initlog (which a
> number of
> > > initscripts do), I'm getting a segfault of the application and a
> kernel
> > > oops printed to the screen:
> > >
> > >
> > > <1>Unable to handle kernel NULL pointer dereference at virtual
> address
> > > 00000001
> > > printing eip:
> > > c0146885
> > > *pde = 2f042067
> > > *pte = 00000000
> > > Oops: 0000
> > > CPU: 0
> > > EIP: 0010:[<c0146885>] Not tainted
> > > EFLAGS: 00010202
> > > eax: 00000001 ebx: 0000000f ecx: ef0c845c edx: ef1c0f60
> > > esi: 00000000 edi: bffffa0c ebp: ece63fbc esp: ece63f40
> > > ds: 0018 es: 0018 ss: 0018
> > > Process initlog (pid: 827, stackpage=ece63000)
> > > Stack: f0bc2d99 ef1d7238 00000002 ef4cf800 ef1d7238 c0146b49
> 08051380
> > > 00000000
> > > ef195860 ece63f98 f0bbf987 ef1d7258 ef195840 08051380
> 00000292
> > > ef190901
> > > 0000009e ef6ec2c0 ef195860 ef195840 ef1c0f60 effe9360
> ef6ec2c0
> > > ef195840
> > > Call Trace: [<f0bc2d99>] [<c0146b49>] [<f0bbf987>] [<c0108bf3>]
> > >
> > > Code: 83 38 01 0f 84 47 ff ff ff 8d 81 20 01 00 00 bb 0b 00 00 00
>
> Do you still have the System.map for this kernel, so that we can
> translate the addresses to functions?
I do. I've never done that before tho, so what am I looking for? Or do
you want to look at the System.map file yourself? I've never really
looked at that before.
> > > Now, syslog still seems to work properly. Ie. these errors are
> being
> > > properly logged to syslog. And if I do "logger mark" I get the
> > > appropriate:
> > >
> > > Feb 8 15:15:57 cerberus vdanen: mark
> > >
> > > in syslog. So I'm not sure if rsbac is protecting /dev/log in
> some way
> > > that's preventing initlog from playing nice with it. The strange
> thing
> > > is only one machine is exhibiting this behaviour (with or without
> > > rsbac_softmode). I tested this same kernel (well, compiled with
> same
> > > options and patches) in vmware (one x86, another x86_64), and on
> an
> > > athlon (the one that fails) and an opteron, but the others work
> ok. The
> > > rest of the system seems fine.
>
> Version 1.2.x does not particularly protect socket special files, only
> when opening them you get requests with NETOBJ targets.
Well, my config as far as NET_OBJ is as follows:
[vdanen at build patches]$ grep OBJ ../configs/i386.config |grep RSBAC
CONFIG_RSBAC_NET_OBJ=y
# CONFIG_RSBAC_NET_OBJ_UNIX is not set
# CONFIG_RSBAC_NET_OBJ_RW is not set
# CONFIG_RSBAC_IND_NETOBJ_LOG is not set
# CONFIG_RSBAC_MAC_NET_OBJ_PROT is not set
CONFIG_RSBAC_FC_NET_OBJ_PROT=y
CONFIG_RSBAC_SIM_NET_OBJ_PROT=y
# CONFIG_RSBAC_RC_NET_OBJ_PROT is not set
# CONFIG_RSBAC_ACL_NET_OBJ_PROT is not set
I don't fully understand what each kernel config option does, so I'm
still trying to tweak what I have, so maybe it's a misconfiguration on
my part.
> > > Has anyone come across anything like this before?
>
> Nothing like this has ever been reported.
I thought that was the answer I'd get as google showed me no love at
all.
I appreciate your help with this, Amon. Let me know if there is
anything else you need to help me figure this out.
--
Annvix - Secure Linux Server: http://annvix.org/
"lynx -source http://linsec.ca/vdanen.asc | gpg --import"
{FEE30AD4 : 7F6C A60C 06C2 4811 FA1C A2BC 2EBC 5E32 FEE3 0AD4}
Wasting time like it was free...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://www.rsbac.org/pipermail/rsbac/attachments/20060209/481ea8c7/attachment.bin
More information about the rsbac
mailing list