Hi,
I've seen a service crashing (HAProxy) and was wondering: What's the meaning of these HBSD messages?
Dec 30 11:08:05 kernel: pid 53076 (haproxy), uid 80: exited on signal 11
Dec 30 11:08:05 kernel: [HBSD SEGVGUARD] [haproxy (53076)] Suspension expired.
Dec 30 11:08:05 kernel: -> pid: 53076 ppid: 1 p_pax: 0x850<SEGVGUARD,ASLR,NODISALLOWMAP32BIT>
Is this crash related to one of these HBSD security features? Is there a way to disable them during runtime?
Thanks
- Frank
PaX SEGVGUARD protects against ASLR bruteforce attempts. It slows down execution of a continuously-crashing process in order to make bruteforce attacks take more time.
We should figure out why haproxy is segfaulting.
Quote from: lattera on December 31, 2018, 05:50:28 PM
We should figure out why haproxy is segfaulting.
Agreed.
Can HSDB security features lead to those crashes?
Regards
- Frank
Quote from: fraenki on December 31, 2018, 05:55:45 PM
Quote from: lattera on December 31, 2018, 05:50:28 PM
We should figure out why haproxy is segfaulting.
Agreed.
Can HSDB security features lead to those crashes?
Regards
- Frank
The ones that OPNsense has: nope. There is PaX NOEXEC, which prohibits applications from creating memory mappings that are both writable and executable (and toggling between the two). NOEXEC causes issues with Just-In-Time (JIT) compilers. However, OPNSense does not currently have NOEXEC in its src tree for 18.7. It does for 19.1, but NOEXEC is disabled due to PHP 7 using a JIT.
For more info about HardenedBSD's features, take a look at our wiki: https://github.com/HardenedBSD/hardenedBSD/wiki