# "ps -l" at a hardened amd64: System.map not parseable

## toralf

I'm curious, why I get the warning "Warning: /usr/src/linux/System.map not parseable as a System.map" at a hardened amd64, whereas at a x86 the same package version sys-process/procps-3.3.10-r1 runs fine. An strace shows the diff here for amd64:

```
read(4, "MemTotal:       16166892 kB\nMemF"..., 8191) = 1042

stat("/proc/self/wchan", 0x3849b7b6f80) = -1 ENOENT (No such file or directory)

uname({sys="Linux", node="tor-relay", ...}) = 0

stat("/boot/System.map-3.17.1-hardened", 0x3849b7b6f80) = -1 ENOENT (No such file or directory)

stat("/boot/System.map", 0x3849b7b6f80) = -1 ENOENT (No such file or directory)

stat("/lib/modules/3.17.1-hardened/System.map", 0x3849b7b6f80) = -1 ENOENT (No such file or directory)

stat("/usr/src/linux/System.map", {st_mode=S_IFREG|0644, st_size=2348938, ...}) = 0

open("/usr/src/linux/System.map", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 5

fstat(5, {st_mode=S_IFREG|0644, st_size=2348938, ...}) = 0

mmap(NULL, 2348939, PROT_READ|PROT_WRITE, MAP_PRIVATE, 5, 0) = 0x2fc3d2dd000

close(5)                                = 0

mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2fc3e10f000

mremap(0x2fc3e10f000, 135168, 266240, MREMAP_MAYMOVE) = 0x2fc3e0ce000

mremap(0x2fc3e0ce000, 266240, 528384, MREMAP_MAYMOVE) = 0x2fc3e04d000

write(2, "Warning: /usr/src/linux/System.m"..., 65) = 65

munmap(0x2fc3e04d000, 528384)           = 0

munmap(0x2fc3d2dd000, 2348939)          = 0

stat("/System.map", 0x3849b7b6f80)      = -1 ENOENT (No such file or directory)

stat("/proc/self/task", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0

```

versus x86:

```
read(4, "MemTotal:        8167648 kB\nMemF"..., 8191) = 1120

stat64("/proc/self/wchan", {st_mode=S_IFREG|0444, st_size=0, ...}) = 0

stat64("/proc/self/task", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0

```

Ok, so /proc/self/wchan does not exists at the amd64, but why does ps now tries to read System.map (and failed, although the file is there) ??Last edited by toralf on Mon Feb 22, 2016 8:51 am; edited 1 time in total

----------

## krinn

Actually the file may not be there if you forget to mount /boot  :Smile: 

But i think it's more because x86 version found /proc/self/wchan and is happy, while the hardened version cannot open it and goes into the backup option to get the info from System.map file

While both should show the same error, the x86 may just avoid it because it found what it need already in wchan and have no need to check System.map

----------

## N8Fear

If you look at the first error occuring it's actually

```
stat("/proc/self/wchan", 0x3849b7b6f80) = -1 ENOENT (No such file or directory) 
```

So you can't read a file from the /proc directory. That is often caused by CONFIG_GRKERNSEC_PROC and friends (the proc restricting kernel options in grsec). The part about system.map is likely just a byproduct of the original error. If it's important that this works you could either lift the proc restrictions alltogether or make it less restrictive (trusted group and friends).

----------

## toralf

 *krinn wrote:*   

> Actually the file may not be there if you forget to mount /boot 
> 
> But i think it's more because x86 version found /proc/self/wchan and is happy, while the hardened version cannot open it and goes into the backup option to get the info from System.map file
> 
> While both should show the same error, the x86 may just avoid it because it found what it need already in wchan and have no need to check System.map

 well, he error msg refers to the point that /usr/src/linux/System.map cannot be *parsed* (it can be opened) - mounting /boot just increases the # of warnings how many System.map couldn't be parsed

Furthermore /me wonders, if /proc/self/wchan is x86 specific or just not there due to the hardened profile ?

----------

## toralf

 *N8Fear wrote:*   

> If you look at the first error occuring it's actually
> 
> ```
> stat("/proc/self/wchan", 0x3849b7b6f80) = -1 ENOENT (No such file or directory) 
> ```
> ...

 But as root I should be allowed to run that command, or ?

And even as root I do still get the error.

----------

