Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

hardened-sources on the desktop
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
serafean
n00b
n00b


Joined: 11 Apr 2016
Posts: 21
PostPosted: Wed Feb 22, 2017 6:08 pm    Post subject: hardened-sources on the desktop Reply with quote
Hi,

Not sure if this belongs to "security" or "desktop", move as appropriate.

I'm trying to run hardened-sources on the desktop (KDE and Kodi). The box boots to console OK, but ntp and GUI applications are a problematic.
NTP:
Code:
grsec: use of CAP_NET_ADMIN in chroot denied for /usr/sbin/ntpd[ntpd:952] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/ntpd[ntpd:926] uid/euid:0/0 gid/egid:0/0

I googled, and am a bit lost where the chroot comes from...

GUI apps:

First off, I had to disable CONFIG_GRKERNSEC_SYSFS_RESTRICT because for some reason GL apps (like kwin) need to access /sys/dev/char/226:0/device/uevent.

Now all KDE applications have logs in the kernel log :
Code:
grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/konsole[konsole:1825] uid/euid:1002/1002 gid/egid:1002/1002, parent /usr/bin/kdeinit5[kdeinit5:1701] uid/euid:1002/1002 gid/egid:1002/1002


Kodi has the same :
Code:
denied RWX mmap of <anonymous mapping> by /usr/lib64/kodi/kodi.bin[kodi.bin:2336] uid/euid:1001/1001 gid/egid:1001/1001, parent /usr/bin/kodi[kodi:2300] uid/euid:1001/1001 gid/egid:1001/1001


Kodi starts and runs more or less OK (with a crazy memory leak). KDE is unusable.

Anyone able to give me any pointers for a workable "hardened" desktop?

Thanks.
Back to top
View user's profile Send private message
enZom
n00b
n00b


Joined: 13 Nov 2015
Posts: 30
Location: In a sandbox
PostPosted: Sun Mar 26, 2017 5:26 pm    Post subject: Reply with quote
What you wanna look into is paxctl. Paxctl controls grsecurity's protections.

Imo read up on paxctl first, it's disabling the protections. -> man paxctl or just type paxctl and checkout the options.
paxctl -c /usr/bin/kodi
paxctl -C /usr/bin/kodi
paxctl -m /usr/bin/kodi
yada yada
Back to top
View user's profile Send private message
ntnn
n00b
n00b


Joined: 20 Mar 2017
Posts: 10
PostPosted: Mon Mar 27, 2017 8:25 am    Post subject: Reply with quote
Instead of paxctl you should use paxctl-ng, which is setting both PT_PAX and XATTR_PAX.
See the wiki page: https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart#paxctl-ng
Back to top
View user's profile Send private message
enZom
n00b
n00b


Joined: 13 Nov 2015
Posts: 30
Location: In a sandbox
PostPosted: Mon Mar 27, 2017 5:47 pm    Post subject: Reply with quote
ntnn wrote:
Instead of paxctl you should use paxctl-ng, which is setting both PT_PAX and XATTR_PAX.
See the wiki page: https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart#paxctl-ng

thx for the linkage, I didn't realize there was any info around for this.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy