Error with grsec kernel
fleadope opened this issue · 2 comments
I have wrestled for a couple days with a deployment, and thought I would document my struggles for posterity, and others who may encounter a similar issue.
I have been trying to deploy an app to an Alpine Linux instance, using a grsecurity kernel. Every time i would do
require 'argon2
I would get an error (it was unreadable, but that's another issue)
RuntimeError: �M���
from ~/.rbenv/versions/2.3.1/lib/ruby/gems/2.3.0/gems/ffi-1.9.14/lib/ffi/library.rb:277:in `attach'
After much searching and tearing of hair by the roots (even creating a python wrapper for argon2 and attempting to invoke it from within the app,) I finally stumbled across a partial answer - the code was forbidden by the grsecurity-hardened kernel, specifically the 'mprotect' flag.
I was able to get the code to run by doing the following:
sudo paxctl -c ~/.rbenv/versions/2.3.1/bin/ruby # Convert the binary to using PT_PAX_FLAGS
sudo paxctl -m ~/.rbenv/versions/2.3.1/bin/ruby # disable MPROTECT
I am not sure of the implications of this change, or whether it can be resolved in a different way, but I thought I would put it here so that others could have their say.
On further research, the ffi README references this issue, here, although it was a pain linking this particular error to grsec.
Thanks for bringing this to my attention.
I've looked this over and can't really see a "fix" beyond documenting the one you found. I've updated the README accordingly.
Thanks - I will keep my ears open, and advise if I hear anything...