* [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
@ 2009-01-16 1:55 Grant
2009-01-16 2:05 ` [gentoo-hardened] " Grant
2009-01-16 6:49 ` [gentoo-hardened] " pageexec
0 siblings, 2 replies; 10+ messages in thread
From: Grant @ 2009-01-16 1:55 UTC (permalink / raw
To: gentoo-hardened
One of my Blu-Ray rips won't play and there is a steady stream of
"Error while decoding frame!" messages in mplayer's output when I try.
I just noticed that each time I try to play the movie, I get another
one of these in dmesg:
grsec: denied resource overstep by requesting 135168 for
RLIMIT_MEMLOCK against limit 32768 for /usr/bin/mplayer[mplayer:22122]
uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:22095]
uid/euid:1000/1000 gid/egid:100/100
I tried:
paxctl -m /usr/bin/mplayer
but it doesn't seem to make any difference. Does anyone know how to
fix this? How can I undo what I did with the above paxctl command
since it doesn't seem to be helping?
- Grant
^ permalink raw reply [flat|nested] 10+ messages in thread
* [gentoo-hardened] Re: denied resource overstep... for RLIMIT_MEMLOCK
2009-01-16 1:55 [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK Grant
@ 2009-01-16 2:05 ` Grant
2009-01-16 6:49 ` pageexec
2009-01-16 6:49 ` [gentoo-hardened] " pageexec
1 sibling, 1 reply; 10+ messages in thread
From: Grant @ 2009-01-16 2:05 UTC (permalink / raw
To: gentoo-hardened
> One of my Blu-Ray rips won't play and there is a steady stream of
> "Error while decoding frame!" messages in mplayer's output when I try.
> I just noticed that each time I try to play the movie, I get another
> one of these in dmesg:
>
> grsec: denied resource overstep by requesting 135168 for
> RLIMIT_MEMLOCK against limit 32768 for /usr/bin/mplayer[mplayer:22122]
> uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:22095]
> uid/euid:1000/1000 gid/egid:100/100
>
> I tried:
>
> paxctl -m /usr/bin/mplayer
>
> but it doesn't seem to make any difference. Does anyone know how to
> fix this? How can I undo what I did with the above paxctl command
> since it doesn't seem to be helping?
>
> - Grant
I should have checked this before posting but I actually get the same
grsec message when playing movies in mplayer that work perfectly fine.
Is there any need to do anything based on the message?
I also noticed this in dmesg on a different system and I'm wondering about it:
PAX: execution attempt in:
/usr/lib64/opengl/nvidia/lib/libGLcore.so.177.82,
6b8d6f990000-6b8d6fd20000 00c1b000
PAX: terminating task: /usr/bin/Xorg(X):14958, uid/euid: 0/0, PC:
00006b8d6fc665d0, SP: 000077eb50bd1258
PAX: bytes at PC: 64 48 8b 04 25 68 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
PAX: bytes at SP-8:
- Grant
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-16 1:55 [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK Grant
2009-01-16 2:05 ` [gentoo-hardened] " Grant
@ 2009-01-16 6:49 ` pageexec
2009-01-17 19:06 ` Grant
1 sibling, 1 reply; 10+ messages in thread
From: pageexec @ 2009-01-16 6:49 UTC (permalink / raw
To: gentoo-hardened
On 15 Jan 2009 at 17:55, Grant wrote:
> One of my Blu-Ray rips won't play and there is a steady stream of
> "Error while decoding frame!" messages in mplayer's output when I try.
> I just noticed that each time I try to play the movie, I get another
> one of these in dmesg:
>
> grsec: denied resource overstep by requesting 135168 for
> RLIMIT_MEMLOCK against limit 32768 for /usr/bin/mplayer[mplayer:22122]
> uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:22095]
> uid/euid:1000/1000 gid/egid:100/100
it's just a report that mplayer wanted to lock more memory than
you allowed, or rather, what the kernel allows by default. ulimit(1)
and related things are your friend.
> paxctl -m /usr/bin/mplayer
>
> but it doesn't seem to make any difference.
actually, that one is needed for certain win32 codecs.
> Does anyone know how to
> fix this? How can I undo what I did with the above paxctl command
> since it doesn't seem to be helping?
man paxctl would tell you if you looked ;).
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] Re: denied resource overstep... for RLIMIT_MEMLOCK
2009-01-16 2:05 ` [gentoo-hardened] " Grant
@ 2009-01-16 6:49 ` pageexec
0 siblings, 0 replies; 10+ messages in thread
From: pageexec @ 2009-01-16 6:49 UTC (permalink / raw
To: gentoo-hardened
On 15 Jan 2009 at 18:05, Grant wrote:
> I also noticed this in dmesg on a different system and I'm wondering about it:
>
> PAX: execution attempt in:
> /usr/lib64/opengl/nvidia/lib/libGLcore.so.177.82,
> 6b8d6f990000-6b8d6fd20000 00c1b000
> PAX: terminating task: /usr/bin/Xorg(X):14958, uid/euid: 0/0, PC:
> 00006b8d6fc665d0, SP: 000077eb50bd1258
> PAX: bytes at PC: 64 48 8b 04 25 68 ff ff ff ff a0 10 08 00 00 cc cc cc cc cc
> PAX: bytes at SP-8:
i think you really need to read up on what PaX does... the above means
that Xorg wanted to execute runtime generated code therefore you'll need
to allow it, just like you already did for mplayer. not that it's great
for security...
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-16 6:49 ` [gentoo-hardened] " pageexec
@ 2009-01-17 19:06 ` Grant
2009-01-17 22:27 ` pageexec
0 siblings, 1 reply; 10+ messages in thread
From: Grant @ 2009-01-17 19:06 UTC (permalink / raw
To: gentoo-hardened
>> One of my Blu-Ray rips won't play and there is a steady stream of
>> "Error while decoding frame!" messages in mplayer's output when I try.
>> I just noticed that each time I try to play the movie, I get another
>> one of these in dmesg:
>>
>> grsec: denied resource overstep by requesting 135168 for
>> RLIMIT_MEMLOCK against limit 32768 for /usr/bin/mplayer[mplayer:22122]
>> uid/euid:1000/1000 gid/egid:100/100, parent /bin/bash[bash:22095]
>> uid/euid:1000/1000 gid/egid:100/100
>
> it's just a report that mplayer wanted to lock more memory than
> you allowed, or rather, what the kernel allows by default. ulimit(1)
> and related things are your friend.
>
>> paxctl -m /usr/bin/mplayer
>>
>> but it doesn't seem to make any difference.
>
> actually, that one is needed for certain win32 codecs.
I'm on amd64 anyway and mplayer-bin doesn't seem to be maintained these days.
>> Does anyone know how to
>> fix this? How can I undo what I did with the above paxctl command
>> since it doesn't seem to be helping?
>
> man paxctl would tell you if you looked ;).
Thanks, it's 'paxctl -M /usr/bin/mplayer'.
- Grant
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-17 19:06 ` Grant
@ 2009-01-17 22:27 ` pageexec
2009-01-18 0:20 ` Manuel Leithner
0 siblings, 1 reply; 10+ messages in thread
From: pageexec @ 2009-01-17 22:27 UTC (permalink / raw
To: gentoo-hardened
On 17 Jan 2009 at 11:06, Grant wrote:
> >> Does anyone know how to
> >> fix this? How can I undo what I did with the above paxctl command
> >> since it doesn't seem to be helping?
> >
> > man paxctl would tell you if you looked ;).
>
> Thanks, it's 'paxctl -M /usr/bin/mplayer'.
you mean -m, -M would enforce MPROTECT when in softmode.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-18 0:20 ` Manuel Leithner
@ 2009-01-18 0:08 ` pageexec
2009-01-18 4:08 ` Grant
2009-01-18 0:43 ` Gordon Malm
1 sibling, 1 reply; 10+ messages in thread
From: pageexec @ 2009-01-18 0:08 UTC (permalink / raw
To: gentoo-hardened
On 18 Jan 2009 at 1:20, Manuel Leithner wrote:
> No, he's correct. He wanted to undo paxctl -m.
ah, undoing. it's still not correct for the reason i told you.
-zex is the base state, as the manpage says as well...
>
> Regards,
> Manuel Leithner
>
> On Sat, 17 Jan 2009 23:27:51 +0100, pageexec@freemail.hu wrote:
> > On 17 Jan 2009 at 11:06, Grant wrote:
> >
> > > >> Does anyone know how to
> > > >> fix this? How can I undo what I did with the above paxctl command
> > > >> since it doesn't seem to be helping?
> > > >
> > > > man paxctl would tell you if you looked ;).
> > >
> > > Thanks, it's 'paxctl -M /usr/bin/mplayer'.
> >
> > you mean -m, -M would enforce MPROTECT when in softmode.
> >
> >
> >
>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-17 22:27 ` pageexec
@ 2009-01-18 0:20 ` Manuel Leithner
2009-01-18 0:08 ` pageexec
2009-01-18 0:43 ` Gordon Malm
0 siblings, 2 replies; 10+ messages in thread
From: Manuel Leithner @ 2009-01-18 0:20 UTC (permalink / raw
To: gentoo-hardened
No, he's correct. He wanted to undo paxctl -m.
Regards,
Manuel Leithner
On Sat, 17 Jan 2009 23:27:51 +0100, pageexec@freemail.hu wrote:
> On 17 Jan 2009 at 11:06, Grant wrote:
>
> > >> Does anyone know how to
> > >> fix this? How can I undo what I did with the above paxctl command
> > >> since it doesn't seem to be helping?
> > >
> > > man paxctl would tell you if you looked ;).
> >
> > Thanks, it's 'paxctl -M /usr/bin/mplayer'.
>
> you mean -m, -M would enforce MPROTECT when in softmode.
>
>
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-18 0:20 ` Manuel Leithner
2009-01-18 0:08 ` pageexec
@ 2009-01-18 0:43 ` Gordon Malm
1 sibling, 0 replies; 10+ messages in thread
From: Gordon Malm @ 2009-01-18 0:43 UTC (permalink / raw
To: gentoo-hardened
undo = 'paxctl -zxe'
On Saturday, January 17, 2009 16:20:53 Manuel Leithner wrote:
> No, he's correct. He wanted to undo paxctl -m.
>
> Regards,
> Manuel Leithner
>
> On Sat, 17 Jan 2009 23:27:51 +0100, pageexec@freemail.hu wrote:
> > On 17 Jan 2009 at 11:06, Grant wrote:
> > > >> Does anyone know how to
> > > >> fix this? How can I undo what I did with the above paxctl command
> > > >> since it doesn't seem to be helping?
> > > >
> > > > man paxctl would tell you if you looked ;).
> > >
> > > Thanks, it's 'paxctl -M /usr/bin/mplayer'.
> >
> > you mean -m, -M would enforce MPROTECT when in softmode.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK
2009-01-18 0:08 ` pageexec
@ 2009-01-18 4:08 ` Grant
0 siblings, 0 replies; 10+ messages in thread
From: Grant @ 2009-01-18 4:08 UTC (permalink / raw
To: gentoo-hardened
>> No, he's correct. He wanted to undo paxctl -m.
>
> ah, undoing. it's still not correct for the reason i told you.
> -zex is the base state, as the manpage says as well...
Thanks, -zex did it. /usr/bin/mplayer no longer shows up with 'qlist
-ao | scanelf -f - -q -x'.
- Grant
>> On Sat, 17 Jan 2009 23:27:51 +0100, pageexec@freemail.hu wrote:
>> > On 17 Jan 2009 at 11:06, Grant wrote:
>> >
>> > > >> Does anyone know how to
>> > > >> fix this? How can I undo what I did with the above paxctl command
>> > > >> since it doesn't seem to be helping?
>> > > >
>> > > > man paxctl would tell you if you looked ;).
>> > >
>> > > Thanks, it's 'paxctl -M /usr/bin/mplayer'.
>> >
>> > you mean -m, -M would enforce MPROTECT when in softmode.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2009-01-18 4:08 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-16 1:55 [gentoo-hardened] denied resource overstep... for RLIMIT_MEMLOCK Grant
2009-01-16 2:05 ` [gentoo-hardened] " Grant
2009-01-16 6:49 ` pageexec
2009-01-16 6:49 ` [gentoo-hardened] " pageexec
2009-01-17 19:06 ` Grant
2009-01-17 22:27 ` pageexec
2009-01-18 0:20 ` Manuel Leithner
2009-01-18 0:08 ` pageexec
2009-01-18 4:08 ` Grant
2009-01-18 0:43 ` Gordon Malm
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox