Linux kernel with grsec + Java / Apache Tomcat

Question

I've got a Debian Linux 64 bit dedicated server. The kernel has the grsec patch applied.

I'm mainly using this server to run Apache Tomcat (6.0.26, Java 6) and everything seems fine.

The only issue, is that when I start Tomcat, I get a few of these:

grsec: From xxx.xxx.xxx.xxx: Segmentation fault occurred at 00007fefe04e4000 in /home/t/jre1.6.0_20/bin/java[java:22403] uid/euid:1001/1001 gid/egid:1001/1001, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
grsec: more alerts, logging disabled for 10 seconds

Then no error logs anymore. Everything is fine.

The kernel is:

Linux 2.6.32.2-xxxx-grs-ipv4-64 #1 SMP Tue Dec 29 14:41:12 UTC 2009 x86_64 GNU/Linux

And the webapp works fine.

So there are segmentation fault when Tomcat starts, but everything seems to works fine.

Is this concerning? Should I move to a non-grsec kernel?

Answer 1

I'm also hosted by OVH and I have a bunch of this:

Jul 20 07:29:25 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 00007f0e17e3e300 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:4177] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:29:25 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 0000000000000008 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30441] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:29:25 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 0000000000000008 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30441] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:30:00 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 0000000000000008 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30620] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:30:02 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 0000000000000008 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30620] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:30:02 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 000000000000001c in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30672] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:30:14 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 0000000000000008 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30683] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

Jul 20 07:30:14 nsxxxxxx kernel: grsec: From x.x.x.x: Segmentation fault occurred at 0000000000000008 in /usr/lib/jvm/java-6-sun-1.6.0.17/jre/bin/java[java:30683] uid/euid:1011/1011 gid/egid:1011/1011, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 ...

It seems that changing the kernel to a non GRSEC one could work.

Answer 2

Java, among other things, is known to not play nice together with grsec.

You'll have to use chpax against Java binary at least, but switching to a non-grsec kernel is a better option.