I was updating my router, when I saw that grub's update failed, likely killed by grsecurity.
[146964.723607] PAX: From 192.168.xxx.xxx: execution attempt in: <anonymous mapping>, be327000-be348000 bffdf000 [146964.723817] PAX: terminating task: /usr/sbin/grub-mkdevicemap(grub-mkdevicema):17454, uid/euid: 0/0, PC: be346fb4, SP: be345e4c [146964.724109] PAX: bytes at PC: b9 a8 6f 34 be e9 22 2e d0 49 34 be f5 67 d2 b2 90 05 eb b2 [146964.724542] PAX: bytes at SP-4: 00000000 0804a232 0aa98480 00000000 00000008 08049e20 00000000 00000000 00000000 00000000 00000000 0aa943d0 00000003 00000400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [146964.725100] grsec: From 192.168.xxx.xxx: denied resource overstep by requesting 4096 for RLIMIT\_CORE against limit 0 for /usr/sbin/grub-mkdevicemap[grub-mkdevicema:17454] uid/euid:0/0 gid/egid:0/0, parent /var/lib/dpkg/info/grub-pc.postinst[grub-pc.postins:17450] uid/euid:0/0 gid/egid:0/0
apt-get install pax-utils paxctl -c /usr/sbin/grub-mkdevicemap paxctl -z /usr/sbin/grub-mkdevicemap paxctl -c /usr/bin/grub-script-check paxctl -z /usr/sbin/grub-mkdevicemap update-grub
This is happening because I used the Restrict mprotect() option in my
kernel (see phrack 60:6), which prevents the creation of executable
pages from anonymous memory. Since
grub-* doesn't have the
paxctl -c $bin will create it by converting the
PT_GNU_STACK program header. Then,
paxctl -z $bin will disable all
PaX related protection for
$bin. Grub is now free to do its weird
things without being bugged by grsec anymore.