From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-hardened+bounces-2250-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1KzWks-0002uH-Vv
	for garchives@archives.gentoo.org; Mon, 10 Nov 2008 13:24:35 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BA28AE0351;
	Mon, 10 Nov 2008 13:24:33 +0000 (UTC)
Received: from qw-out-1920.google.com (qw-out-1920.google.com [74.125.92.144])
	by pigeon.gentoo.org (Postfix) with ESMTP id 98F84E0351
	for <gentoo-hardened@lists.gentoo.org>; Mon, 10 Nov 2008 13:24:33 +0000 (UTC)
Received: by qw-out-1920.google.com with SMTP id 5so2121464qwc.10
        for <gentoo-hardened@lists.gentoo.org>; Mon, 10 Nov 2008 05:24:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:date:from:to:cc:subject
         :message-id:reply-to:mail-followup-to:references:mime-version
         :content-type:content-disposition:in-reply-to:x-operating-system
         :user-agent;
        bh=DopxbhWiI6U1IwGis0h597JdXej0XjeiLBEK3ZMGDFA=;
        b=klV6+PomWWGwPMOa3aOLLdI63mHkV1sb4MRG5EEPXIphK3PZXjMi05TvJ5lkqWg11u
         9woJ48vPfaHDEXjQhsUMbsK9ZMZDcII3TgkTpZm4OoSzJqRd9VJl/dWwpybNNd/Mncge
         iueBf1n5Vi93DIz6yGSRmAVFu7Ysbsn1yG8UM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=date:from:to:cc:subject:message-id:reply-to:mail-followup-to
         :references:mime-version:content-type:content-disposition
         :in-reply-to:x-operating-system:user-agent;
        b=v1aQpOcWdI3UMn511tm4/hrfJ67s3FGhxe/B/Aa46E6DwjmJU4ncyNss0swbWd6MqC
         k7e8JQDjBkg8qeb1bZJU2gXSxNYM39mlT0fy7kE1yi2sWIPvbW1jYDezNeIz2saV+UvT
         EzmE3uYPCAxjUPK0XQavzfc8WA/nHX5GZp2sg=
Received: by 10.214.242.17 with SMTP id p17mr6457223qah.367.1226323471891;
        Mon, 10 Nov 2008 05:24:31 -0800 (PST)
Received: from gmail.com (66-190-62-213.dhcp.mdsn.wi.charter.com [66.190.62.213])
        by mx.google.com with ESMTPS id 9sm9036667ywf.2.2008.11.10.05.24.30
        (version=SSLv3 cipher=RC4-MD5);
        Mon, 10 Nov 2008 05:24:31 -0800 (PST)
Date: Mon, 10 Nov 2008 07:24:29 -0600
From: Brian Kroth <bpkroth@gmail.com>
To: atoth@atoth.sote.hu
Cc: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] what RLIMIT_STACK mean?
Message-ID: <20081110132427.GB19578@gmail.com>
Mail-Followup-To: atoth@atoth.sote.hu, gentoo-hardened@lists.gentoo.org
References: <c2125bcb7fde59cdb77b1b8de3cef95a.squirrel@atoth.sote.hu> <4916DB2B.29842.7CE88B1@pageexec.freemail.hu> <56fdc27a3f155c58dba9c797d9965dd7.squirrel@atoth.sote.hu> <20081110092412.GB1893@home.power> <a1721b25d260be1dadffa6421edcbe20.squirrel@atoth.sote.hu>
Precedence: bulk
List-Post: <mailto:gentoo-hardened@lists.gentoo.org>
List-Help: <mailto:gentoo-hardened+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-hardened+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-hardened+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-hardened.gentoo.org>
X-BeenThere: gentoo-hardened@lists.gentoo.org
Reply-to: gentoo-hardened@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <a1721b25d260be1dadffa6421edcbe20.squirrel@atoth.sote.hu>
X-Operating-System: Linux 2.6.26-hardened-r2 x86_64
User-Agent: Mutt/1.5.16 (2007-06-09)
X-Archives-Salt: 1c94f32c-8574-4c59-92d8-b0cb9f4e50db
X-Archives-Hash: 01b795fd9e44f12b5b1b7eec566486af

atoth@atoth.sote.hu <atoth@atoth.sote.hu> 2008-11-10 12:31:
> I usually have some of these while I'm listening to music:
> grsec: (atoth:U:/usr/bin/audacious) denied resource overstep by requesting
> 135168 for RLIMIT_MEMLOCK against limit 32768 for
> /usr/bin/audacious[audacious:24077] uid/euid:1000/1000 gid/egid:100/100,
> parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
> and usual report about signal 11s for eg. with java while browsing. Of
> course that RLMIT_MEMLOCK value requested is not so insane like that for
> perl & pwd.

Same here:

grsec: denied resource overstep by requesting 69632 for RLIMIT_MEMLOCK
against limit 32768 for /usr/bin/aplay[aplay:16674] uid/euid:1000/1000
gid/egid:1000/1000, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

And for the perl forloop:

grsec: denied resource overstep by requesting 4511036391424 for
RLIMIT_STACK against limit 8388608 for /bin/pwd[pwd:18765]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:18636]
uid/euid:1000/1000 gid/egid:1000/1000

For me, nothing ever crashed so I just started to ignore them.  I did
wonder at them though.

> Question is: do you use a hardened toolchain pie-ssp enabled, or a
> regular? It would be interesting to test it using a non-hardened userland
> with a grsec-enabled kernel...

$ eselect profile show
Current make.profile symlink:
  /usr/portage/profiles/default/linux/amd64/2008.0/desktop

$ uname -a
Linux omnius 2.6.26-hardened-r2 #3 SMP Sat Oct 4 16:00:09 CDT 2008
x86_64 Intel(R) Xeon(R) CPU X3220 @ 2.40GHz GenuineIntel GNU/Linux

I'll try with a 2.6.27 based one later today.

Brian