On 7/29/14, 18:00, development-request@lists.ipfire.org wrote:
I am trying to achieve something here I don't know if this is
supported. I've built a custom addon for ntopng, a traffic monitoring tool which makes use of LuaJIT for its web UI scripting language (which is great for embedded devices). When starting the service on my home IPFire I quickly get the following error message.
PANIC: unprotected error in call to Lua API (runtime code generation failed, restricted kernel?)
Which leads me to think that a JIT is not supported in the kernel configuration of IPFire, or am I way off? This is a tool I'd really like to get working on my IPFire, any ideas?
Check the kernel log. If PaX mprotect has stopped the execution it will be logged and in most cases the protection can disabled for single binaries with paxctl.
Arne
Thanks Arne,
That seem to have fixed the problem. I found the following in logs:
# grep -nir "pax" messages 311236:Jul 27 16:17:00 shockwave kernel: PAX: From 192.168.3.116: execution attempt in: <anonymous mapping>, 4eb62000-4ec2a000 4eb62000 311237:Jul 27 16:17:00 shockwave kernel: PAX: terminating task: /usr/local/bin/ntopng(ntopng):23772, uid/euid: 1001/1001, PC: 4eb69f89, SP: 4ac2af70 311238:Jul 27 16:17:00 shockwave kernel: PAX: bytes at PC: c7 05 bc a2 c0 4e 01 00 00 00 8b 7a f8 8b 7f 08 81 7f 1c ff 311239:Jul 27 16:17:00 shockwave kernel: PAX: bytes at SP-4: 080f92b1 4ec0a1c0 4ebcce00 4ebcce08 4ec0b328 4ebfcbf0 00000001 4ebfcbe0 4ec0a1f0 00000000 081a0e8c 0815d816 080e7ccd 4ec0a1c0 00000000 00000000 00000000 0819f2e4 0b076cd8 081a0e8c 080800b0
and I disabled mprotect with:
# paxctl -m /usr/local/bin/ntopng
Also, while I was familiarizing myself with grsecurity I noticed that other utilities such as pspax, execstack, scanelf and dumpelf are not available in IPFire. Is there a particular reason for this?
Regards,
-- GH
-
Ghislain Hachey