grsec-unoff (RAP) related Call Traces, 171118-1030 oops

(No. 0)  171114-1000-manu  171117-1426-oops  171118-0933-rsys  171118-1030-none  171122-1348-rsys  171123-1254  171123-1530  171124-0102-none  180101-1917-rsync 

( This is not a (RAP)-related Call Trace page, placing this here to report more quickly to the author of the patch for the kernel in question. )

This trace happened after the time of the last recorded event at:

Nov 18 10:30:01 gdOv kernel: [ 1265.774444] grsec: chdir to /var/lib/lurker/www
by /usr/bin/lurker-prune[lurker-prune:4137] uid/euid:33/33 gid/egid:33/33,
parent /bin/dash[sh:4136] uid/euid:33/33 gid/egid:33/33

The system just froze, and as that time I was watching video stream from one of my old Hauppauge TV-cards (it's the Vukovar Commemoration Day in Croatia), the very last maybe 2 seconds audio kept repeating. Until I rebooted the system with its mechanical switch.

Bringing the context, even though it reveals close to nothing about the causes to me:

Nov 18 10:14:08 gdOv kernel: [  313.262311] grsec: exec of
/usr/local/bin/tzap-cat-g0.sh (tzap-cat-g0.sh HTV1 HTV1 ) by
/usr/local/bin/tzap-cat-g0.sh[bash:3998] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:3809] uid/euid:1000/1000 gid/egid:1000/1000 [...] Nov 18
10:28:35 gdOv kernel: [ 1179.975438] grsec: chdir to /home/mr by
/usr/bin/vim.basic[vi:4132] uid/euid:1000/1000 gid/egid:1000/1000, parent
/bin/bash[bash:3870] uid/euid:1000/1000 gid/egid:1000/1000

Nov 18 10:30:01 gdOv kernel: [ 1265.763910] grsec: chdir to /var/www by
/usr/sbin/cron[cron:4136] uid/euid:33/33 gid/egid:33/33, parent
/usr/sbin/cron[cron:4135] uid/euid:0/0 gid/egid:0/0

Nov 18 10:30:01 gdOv kernel: [ 1265.764134] grsec: exec of /bin/dash (/bin/sh
-c if test -f /var/lib/lurker/db; then /usr/bin/lurker-prune; fi ) by
/bin/dash[cron:4136] uid/euid:33/33 gid/egid:33/33, parent
/usr/sbin/cron[cron:4135] uid/euid:0/0 gid/egid:0/0

Nov 18 10:30:01 gdOv kernel: [ 1265.767249] grsec: exec of
/usr/bin/lurker-prune (/usr/bin/lurker-prune ) by
/usr/bin/lurker-prune[sh:4137] uid/euid:33/33 gid/egid:33/33, parent
/bin/dash[sh:4136] uid/euid:33/33 gid/egid:33/33

Nov 18 10:30:01 gdOv kernel: [ 1265.774166] grsec: chdir to /var/lib/lurker by
/usr/bin/lurker-prune[lurker-prune:4137] uid/euid:33/33 gid/egid:33/33, parent
/bin/dash[sh:4136] uid/euid:33/33 gid/egid:33/33

Nov 18 10:30:01 gdOv kernel: [ 1265.774205] grsec: chdir to /var/www by
/usr/bin/lurker-prune[lurker-prune:4137] uid/euid:33/33 gid/egid:33/33, parent
/bin/dash[sh:4136] uid/euid:33/33 gid/egid:33/33

Nov 18 10:30:01 gdOv kernel: [ 1265.774444] grsec: chdir to /var/lib/lurker/www
by /usr/bin/lurker-prune[lurker-prune:4137] uid/euid:33/33 gid/egid:33/33,
parent /bin/dash[sh:4136] uid/euid:33/33 gid/egid:33/33

Nov 18 10:38:18 gdOv kernel: [   37.284703] grsec: exec of /bin/sed (sed s/
*#.*// ) by /bin/sed[cryptdisks:1303] uid/euid:0/0 gid/egid:0/0, parent
/etc/init.d/cryptdisks[cryptdisks:1301] uid/euid:0/0 gid/egid:0/0

Nov 18 10:38:18 gdOv kernel: [   37.287905] grsec: exec of /bin/sed (sed
s/=.*// ) by /bin/sed[cryptdisks:1306] uid/euid:0/0 gid/egid:0/0, parent
/etc/init.d/cryptdisks[cryptdisks:1304] uid/euid:0/0 gid/egid:0/0

Nov 18 10:38:18 gdOv kernel: [   37.291026] grsec: exec of /bin/sed (sed
/=/!d;s/^.*=// ) by /bin/sed[cryptdisks:1309] uid/euid:0/0 gid/egid:0/0, parent
/etc/init.d/cryptdisks[cryptdisks:1307] uid/euid:0/0 gid/egid:0/0

Nov 18 10:38:18 gdOv kernel: [   37.293694] grsec: exec of /bin/readlink
(readlink -f /dev/disk/by-uuid/

---

The very last line is truncated at the start of the UUID of the encrypted volume. But that's all you get of the logging in the kern.log (or messages, or syslog, sysvinit is very poor or completely lacking at logging events at boot time).

I use full disk encryption, as per:Installing to existing partitions/mount? Full disk encrypt? Feedback.

Also, I had used EFI booting, but following Dyne.Org Devuan DNG Mailing List, where there was recently a discussion about it, thanks a lot, no more of it, I reverted all systems back to BIOS-booting.

The logging that you see above is brought by the grsecurity features exec_logging and audit_chdir which I always compile in my kernels (

CONFIG_GRKERNSEC_EXECLOG=y
[...]
CONFIG_GRKERNSEC_AUDIT_CHDIR=y

). All I get in my Devuan (which in most respects is same as Debian, except for the great improvement: the SystemDestruction is out, banned from the package management), all I get is from, as you can see, the last cryptdisks opening and mounting (I don't even get the opening and mounting of root / encrypted disk, those are the swap partition and another partition)... I think I had much more logging in Gentoo, and esp. now that there is runit in Gentoo, logging must be great there... Not complaining, and I sure would contribute, if I had (or maybe once I get) the potential to...

In /var/log/dmesg the logging starts even later:

[   40.169431] grsec: exec of /usr/bin/tput (/usr/bin/tput setaf 3 ) by
/usr/bin/tput[mountall.sh:1518] uid/euid:0/0 gid/egid:0/0, parent
/etc/init.d/mountall.sh[mountall.sh:1459] uid/euid:0/0 gid/egid:0/0
[...]

That's three seconds later:

40.169431
37.284703

(first line timestamp from kern.log, second line timestamp from dmesg)

Lots of room for improving things. And, since Debian, sadly, is moving to binary logging, this may remain for the Devuan Devs, and other true unix-oriented folks in *nixdom, to care for...

---

The verifiable files necessary for this study, if any, are listed in the main page of this section.

---