Please add pax header for node

[wenerme]

Relate issues wekan/wekan#1303

Node jit need mprotect on hardened os.

docker run -it --rm node:alpine sh
node
# Segmentation fault

# disable mprotect for node
apk add --no-cache paxctl
paxctl -cm `which node`
# works now
node
# > 

[SimenB]

This feels like a doc-change rather than an image change. Do you agree?

• Is this specific to the node binary?
• Only alpine, not the other images?
• What about npm/npx/yarn?
• What about other alpine images like go/python etc?
• How can I reproduce the segfault?

I have to admit I've never even heard of pax, so I'm not sure what it entails.

[wenerme]

Pax will change elf header in node binary PaX#Binary_markings

PaX allows executable files in the Executable and Linkable Format to be marked with reduced restrictions via the chpax and paxctl tools. These markings exist in the ELF header, and thus are both filesystem independent and part of the file object itself.

It's caused by how v8 use memap, grsecurity prevent exec on mapped memory, so PROT_EXEC will fail, but v8 need this for jit.

src/perf-jit.cc#L154

Without pax header for node, npm will fail too.

To reproduce this, download standard https://alpinelinux.org/downloads/ alpine image, with with grsecurity patched, run in a vm, install docker, pull node and run.

[chorrell]

I can't reproduce this:

$ docker run -it --rm node:alpine sh
/ # node --version
v9.2.0
/ # 

(Updated with correct output)

[chorrell]

Oh, wait, this is about running the image when Alpine is the Docker Host. Does upstream Docker officially support that?

[chorrell]

I'm guessing not:

https://docs.docker.com/engine/installation/#time-based-release-schedule

As @SimenB mentioned, this is more likely a doc change/update.

[wenerme]

Could you please provide these

grep -e PAX_MPROTECT= -e GRKERNSEC= /boot/config-hardened
uname -s

All of our servers use alpine, have the same problem.

Maybe this is related to docker, but I don't know why

Run node in docker

docker run --rm --entrypoint sh -it node:alpine
node

I got this from kernel message

[1904182.723239] grsec: Segmentation fault occurred at 000000000000000f in /usr/local/bin/node[node:6859] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:6857] uid/euid:0/0 gid/egid:0/0
[1904182.723396] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/local/bin/node[node:6859] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/strace[strace:6857] uid/euid:0/0 gid/egid:0/0
[1904182.724671] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/strace[strace:6857] uid/euid:0/0 gid/egid:0/0, parent /bin/busybox[sh:6775] uid/euid:0/0 gid/egid:0/0

But the way, I also got 139 exit, maybe relate to this #435

This is strace log

/ # strace node
execve("/usr/local/bin/node", ["node"], [/* 8 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x76957e4c9b48) = 0
set_tid_address(0x76957e4c9b80)         = 30
open("/etc/ld-musl-x86_64.path", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libstdc++.so.6", O_RDONLY|O_CLOEXEC) = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0755, st_size=1370496, ...}) = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\336\t\0\0\0\0\0"..., 960) = 960
mmap(NULL, 3481600, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x76957deec000
mmap(0x76957e22c000, 73728, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x140000) = 0x76957e22c000
mmap(0x76957e23b000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76957e23b000
close(3)                                = 0
open("/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/local/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 3
fcntl(3, F_SETFD, FD_CLOEXEC)           = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=71400, ...}) = 0
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0 '\0\0\0\0\0\0"..., 960) = 960
mmap(NULL, 2170880, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0x76957dcda000
mmap(0x76957deea000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x10000) = 0x76957deea000
close(3)                                = 0
mprotect(0x76957e22c000, 57344, PROT_READ) = 0
mprotect(0x76957deea000, 4096, PROT_READ) = 0
mprotect(0x76957e4c6000, 4096, PROT_READ) = 0
mprotect(0x5b88671d000, 524288, PROT_READ) = 0
brk(NULL)                               = 0x5b8888a4a30
brk(0x5b8888b7000)                      = 0x5b8888b7000
rt_sigprocmask(SIG_SETMASK, [USR1], NULL, 8) = 0
fstat(0, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 7), ...}) = 0
fstat(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 7), ...}) = 0
fstat(2, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 7), ...}) = 0
rt_sigaction(SIGHUP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGINT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGQUIT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGILL, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGTRAP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGABRT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGBUS, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGFPE, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGUSR1, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGSEGV, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGUSR2, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGPIPE, {sa_handler=SIG_IGN, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGALRM, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGSTKFLT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGCHLD, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGCONT, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGTSTP, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGTTIN, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGTTOU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGURG, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGXCPU, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGXFSZ, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGVTALRM, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGPROF, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGWINCH, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGIO, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGPWR, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGSYS, {sa_handler=SIG_DFL, sa_mask=[], sa_flags=SA_RESTORER, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigprocmask(SIG_UNBLOCK, [RT_1 RT_2], NULL, 8) = 0
rt_sigaction(SIGINT, {sa_handler=0x5b88581d3c0, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESETHAND, sa_restorer=0x76957e283f96}, NULL, 8) = 0
rt_sigaction(SIGTERM, {sa_handler=0x5b88581d3c0, sa_mask=~[RTMIN RT_1 RT_2], sa_flags=SA_RESTORER|SA_RESETHAND, sa_restorer=0x76957e283f96}, NULL, 8) = 0
prlimit64(0, RLIMIT_NOFILE, NULL, {rlim_cur=1024*1024, rlim_max=1024*1024}) = 0
clock_getres(CLOCK_MONOTONIC_COARSE, {tv_sec=0, tv_nsec=3333333}) = 0
epoll_create1(EPOLL_CLOEXEC)            = 3
pipe2([4, 5], O_CLOEXEC)                = 0
write(5, "*", 1)                        = 1
pipe2([6, 7], O_NONBLOCK|O_CLOEXEC)     = 0
eventfd2(0, EFD_CLOEXEC|EFD_NONBLOCK)   = 8
ioctl(0, FIOCLEX)                       = 0
ioctl(1, FIOCLEX)                       = 0
ioctl(2, FIOCLEX)                       = 0
ioctl(3, FIOCLEX)                       = 0
ioctl(4, FIOCLEX)                       = 0
ioctl(5, FIOCLEX)                       = 0
ioctl(6, FIOCLEX)                       = 0
ioctl(7, FIOCLEX)                       = 0
ioctl(8, FIOCLEX)                       = 0
ioctl(9, FIOCLEX)                       = -1 EBADF (Bad file descriptor)
ioctl(10, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
ioctl(11, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
ioctl(12, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
ioctl(13, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
ioctl(14, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
ioctl(15, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
ioctl(16, FIOCLEX)                      = -1 EBADF (Bad file descriptor)
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
getuid()                                = 0
geteuid()                               = 0
getgid()                                = 0
getegid()                               = 0
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
rt_sigprocmask(SIG_UNBLOCK, [RT_1 RT_2], NULL, 8) = 0
mmap(NULL, 8400896, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76957d4d7000
mprotect(0x76957d4d9000, 8392704, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x76957dcd9a88, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|0x400000, parent_tidptr=0x76957dcd9b20, tls=0x76957dcd9ae8, child_tidptr=0x76957dcd9b20) = 31
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
mmap(NULL, 8400896, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76957ccd4000
mprotect(0x76957ccd6000, 8392704, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x76957d4d6a88, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|0x400000, parent_tidptr=0x76957d4d6b20, tls=0x76957d4d6ae8, child_tidptr=0x76957d4d6b20) = 32
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
mmap(NULL, 8400896, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76957c4d1000
mprotect(0x76957c4d3000, 8392704, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x76957ccd3a88, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|0x400000, parent_tidptr=0x76957ccd3b20, tls=0x76957ccd3ae8, child_tidptr=0x76957ccd3b20) = 33
prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0
mmap(NULL, 8400896, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76957bcce000
mprotect(0x76957bcd0000, 8392704, PROT_READ|PROT_WRITE) = 0
clone(child_stack=0x76957c4d0a88, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|0x400000, parent_tidptr=0x76957c4d0b20, tls=0x76957c4d0ae8, child_tidptr=0x76957c4d0b20) = 34
brk(0x5b8888bd000)                      = 0x5b8888bd000
brk(0x5b8888be000)                      = 0x5b8888be000
brk(0x5b8888ca000)                      = 0x5b8888ca000
brk(0x5b8888cc000)                      = 0x5b8888cc000
brk(0x5b8888d7000)                      = 0x5b8888d7000
brk(0x5b8888e7000)                      = 0x5b8888e7000
brk(0x5b8888f7000)                      = 0x5b8888f7000
brk(0x5b8888f9000)                      = 0x5b8888f9000
getpid()                                = 30
open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 9
fstat(9, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
poll([{fd=9, events=POLLIN}], 1, 10)    = 1 ([{fd=9, revents=POLLIN}])
read(9, "\266\257\220qs\323f\212\242e\304\304XC\357\371\233N\304\351\355\376\rXF\336s\360\3611\16\247", 32) = 32
close(9)                                = 0
getuid()                                = 0
getpid()                                = 30
mmap(0xb982738e000, 536875008, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955bccd000
munmap(0x76957bccd000, 4096)            = 0
brk(0x5b8888fa000)                      = 0x5b8888fa000
brk(0x5b8888fb000)                      = 0x5b8888fb000
brk(0x5b8888fc000)                      = 0x5b8888fc000
brk(0x5b8888fd000)                      = 0x5b8888fd000
brk(0x5b8888fe000)                      = 0x5b8888fe000
brk(0x5b8888ff000)                      = 0x5b8888ff000
brk(0x5b888900000)                      = 0x5b888900000
brk(0x5b888901000)                      = 0x5b888901000
brk(0x5b888902000)                      = 0x5b888902000
brk(0x5b888903000)                      = 0x5b888903000
brk(0x5b888904000)                      = 0x5b888904000
mmap(0x7efe7800000, 1048576, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76957e3c2000
munmap(0x76957e3c2000, 253952)          = 0
munmap(0x76957e480000, 270336)          = 0
mmap(0x76957e400000, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76957e400000
mmap(0x1f42f2480000, 1048576, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76957e300000
munmap(0x76957e380000, 524288)          = 0
mmap(0x76957e300000, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76957e300000
brk(0x5b888906000)                      = 0x5b888906000
brk(0x5b888909000)                      = 0x5b888909000
getpid()                                = 30
brk(0x5b88890a000)                      = 0x5b88890a000
brk(0x5b88890b000)                      = 0x5b88890b000
brk(0x5b88890c000)                      = 0x5b88890c000
mmap(0x3ef3b0329000, 49152, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76957e4b6000
mmap(0x76957e4b8000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76957e4b8000
brk(0x5b88890d000)                      = 0x5b88890d000
brk(0x5b88890e000)                      = 0x5b88890e000
mmap(0x76955bd00000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955bd00000
mprotect(0x76955bd03000, 4096, PROT_NONE) = 0
mmap(0x76955bd04000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
mmap(0x76955bd00000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955bd00000
mmap(0x76955bd80000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955bd80000
mprotect(0x76955bd83000, 4096, PROT_NONE) = 0
mmap(0x76955bd84000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
mmap(0x76955bd80000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955bd80000
mmap(0x76955be00000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955be00000
mprotect(0x76955be03000, 4096, PROT_NONE) = 0
mmap(0x76955be04000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
mmap(0x76955be00000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955be00000
brk(0x5b88890f000)                      = 0x5b88890f000
brk(0x5b888911000)                      = 0x5b888911000
brk(0x5b888914000)                      = 0x5b888914000
brk(0x5b888919000)                      = 0x5b888919000
mmap(0x2e9021680000, 1048576, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955bbcd000
munmap(0x76955bbcd000, 208896)          = 0
munmap(0x76955bc80000, 315392)          = 0
mmap(0x76955bc00000, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955bc00000
mmap(0x76955be80000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955be80000
mprotect(0x76955be83000, 4096, PROT_NONE) = 0
mmap(0x76955be84000, 503808, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = -1 EPERM (Operation not permitted)
mmap(0x76955be80000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955be80000
mmap(0x30d97f280000, 1048576, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955bb00000
munmap(0x76955bb80000, 524288)          = 0
mmap(0x76955bb00000, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955bb00000
mmap(0x1c414f480000, 1048576, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_NORESERVE, -1, 0) = 0x76955ba00000
munmap(0x76955ba80000, 524288)          = 0
mmap(0x76955ba00000, 524288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x76955ba00000
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xf} ---
+++ killed by SIGSEGV +++
Segmentation fault

All mmap with PROT_EXEC return Operation not permitted that's why I got segfal.

But if I install node from repository, node will just run without any problem even in docker.

[taoeffect]

Am running into this same issue with the latest alpine and latest nodejs alpine apk.

Is this an issue with grsec or is nodejs actually doing something it shouldn't be doing?

[taoeffect]

Oddly enough, when I tried the steps in the first post above, first npm install hung while building something with node-gyp (for some xml dependency/library), so I ran it again and it seemed to work.

But then I ran actual node on a .js file and got "bus error" (instead of the "segmentation fault" that I was getting before). dmesg has this:

[592349.066959] grsec: Invalid alignment/Bus error occurred at 0000703b2e17eff8 in /usr/bin/node[node:1291] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/busybox[sh:1009] uid/euid:1000/1000 gid/egid:1000/1000
[592349.067061] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/node[node:1291] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/busybox[sh:1009] uid/euid:1000/1000 gid/egid:1000/1000

EDIT: I did something and now am getting a slightly different error (btw, is it paxctl -cm or paxctl -cM ? Apparently those are two different things?)

[593494.731434] PAX: execution attempt in: (null), 00000000-00000000 00000000
[593494.731439] PAX: terminating task: /usr/bin/node(node):2711, uid/euid: 1000/1000, PC: 0000000000036986, SP: 000079b8bd58ebd8
[593494.731441] PAX: bytes at PC: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[593494.731460]
[593494.731461] PAX: bytes at SP-8: 000079b8bd58ed10 00006fc8f88556bd 000008e95a5ea7a8 000079b8bd58ef20 ffffffff0100ec20 0000000000000000 00006fc8f88428c0 0000000000000000 0000000000000050 0000003000000030 000079b8bd58ed70
[593494.731467]
[593494.731598] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/node[node:2711] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/busybox[sh:2464] uid/euid:1000/1000 gid/egid:1000/1000

[wenerme]

You should use paxctl -cm $(which node), if you are using docker, you can use wener/node, I already done this when build. https://github.com/wenerme/dockerfiles/blob/master/node/Dockerfile

[taoeffect]

Thanks @wenerme, but I'm basically doing the same thing and am getting the PAX: execution attempt error mentioned above.

I can run node just fine, the problem seems to occur when osmosis tries to use libxmljs-dom, I think.

You can try it for yourself by creating a project and calling osmosis.get(<url>).set({}).data(function (data) { .. })

[asterissco]

I has this problem with Microsoft Sqlserver (mssql) Docker

[10852.045533] grsec: Segmentation fault occurred at            (nil) in /opt/mssql/bin/sqlservr[sqlservr:21026] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/docker-containerd-shim[docker-containe:21006] uid/euid:0/0 gid/egid:0/0
[10852.045556] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/mssql/bin/sqlservr[sqlservr:21026] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/docker-containerd-shim[docker-containe:21006] uid/euid:0/0 gid/egid:0/0

I fixed it disabled the grsecurity of the kernel

localhost:~# sysctl -w kernel.pax.softmode=1

Like this https://forums.grsecurity.net/viewtopic.php?f=3&t=3877