[rsbac] RSBAC build problem on linux-4.9.y-c3fbb3a
Amon Ott
ao at rsbac.org
Thu May 18 11:43:22 CEST 2017
Am 17.05.2017 um 21:34 schrieb HacKurx:
> Le 2017-05-17 08:27, Amon Ott a écrit :
>> Am 16.05.2017 um 21:33 schrieb HacKurx:
>>> 2017-05-16 8:57 GMT+02:00 Amon Ott :
>>>> mprotect must be active by default and it has been working fine in hard
>>>> server use for months now.
>>>>
>>>> You can use rsbac_debug_mprotect kernel parameter to get debug output
>>>> for mprotect. To enable debug as user 400 at runtime (disable with 0):
>>>>
>>>> echo debug_mprotect 1 >/proc/rsbac-info/debug
>>>
>>> I do not have the file "/proc/rsbac-info/debug" :/
>>> I have not yet used RSBAC administration tools. I only configured the
>>> kernel to test your mprotect option.
>>> I use ubuntu 16.04 LTS for this.
>>
>> You should enable both RSBAC proc interface and RSBAC debug. They both
>> have little to no overhead and will enable you to test better and us to
>> spot problems. As company, we run all production systems with both
>> settings and many others enabled.
>>
>> As some programs do not work with mprotect, you will probably need the
>> tools some day to change settings for these.
>
> egrep "RSBAC_PROC|RSBAC_DEBUG|RSBAC_MPROTECT" /boot/config-4.9.28-rsbac
> CONFIG_RSBAC_PROC=y
> CONFIG_RSBAC_DEBUG=y
> # CONFIG_RSBAC_PROC_HIDE is not set
> CONFIG_RSBAC_MPROTECT=y
>
> cat /proc/rsbac-info/debug
> cat: /proc/rsbac-info/debug: No such file or directory
>
> There must be a few things that block this. Perhaps the file system or systemd?
Ah, you probably have an initial ramdisk. In that case you need the
kernel option CONFIG_RSBAC_INIT_DELAY for initrd support. The kernel
help text tells you about parameters and usage.
If you have no initial ramdisk, I need your full .config to reproduce as
private mail. Also, all RSBAC output in dmesg would help, perhaps just
send dmesg in full.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
More information about the rsbac
mailing list