View previous topic :: View next topic |
Author |
Message |
vnd n00b
Joined: 28 Jan 2011 Posts: 19
|
Posted: Fri Jan 28, 2011 5:24 pm Post subject: [Solved] Nvidia + GRSecurity |
|
|
Hi, I used to use open source drivers nouveau working on hardened-sources - there were no problems with them. Few days ago I decided to look closer into CUDA technology and my first step was installing nvidia-drivers from portage. In fact, there were some notes about Nvidia drivers incompatibility with GRSecurity but I’ve ignored it cause I’d wanted to check how would it work. I’ve also removed all things connected with previous driver from kernel and changed VIDEO_CARDS to ’nvidia’ before updating system. Xorg server run perfectly after generating new config file. The first problem occurred when running OpenGL applications like glxgears or cairo-dock - PaX was killing processes because of mprotect restrictions. After changing some executable flags (paxctl -m) cairo-dock started up like earlier but glxgears and other applications throw out another warning message:
Code: | Xlib: extension "GLX" missing on display ":0.0".
Error: couldn't get an RGB, Double-buffered visual |
I’ve searched the forums looking for some information but I haven’t find anything useful. The posts were eighter too old or related to different topic, so I decided to create new one.
Here’s my configuration:
Code: | vnd@vndbox ~ $ uname -rm
2.6.36-hardened-r6 x86_64
vnd@vndbox ~ $ eselect opengl show
nvidia
vnd@vndbox ~ $ equery which xorg-server
/usr/portage/x11-base/xorg-server/xorg-server-1.9.2.ebuild
vnd@vndbox ~ $ equery which nvidia-drivers
/usr/portage/x11-drivers/nvidia-drivers/nvidia-drivers-260.19.29.ebuild
vnd@vndbox ~ $ equery which nvidia-settings
/usr/portage/media-video/nvidia-settings/nvidia-settings-260.19.29.ebuild
vnd@vndbox ~ $ equery which mesa
/usr/portage/media-libs/mesa/mesa-7.9.ebuild
vnd@vndbox ~ $ cat /etc/make.conf | grep USE
USE="X acpi alsa bluetooth bzip2 cairo cdda cdr crypt cxx dbus dell dri dvd dvdr encode ffmpeg gallium gd gnome gnutls gphoto2 gpm gstreamer gtk hal hardened iconv ipod java jpeg jpeg2k laptop libnotify mad memlimit mime mmap mmx mp3 mp4 mpeg mplayer multilib nautilus nsplugin ogg opengl pam pcmcia pdf php png posix python raw readline socks5 spell sse sse2 ssse3 ssl svg threads truetype udev unicode usb vim-syntax wifi xcomposite xscreensaver xvid -cups -kde qt3 qt3support qt4"
vnd@vndbox ~ $ cat /etc/make.conf | grep VIDEO_CARDS
VIDEO_CARDS="nvidia" # "nouveau" |
Another interesting thing is glxinfo throws segmentation fault after flushing some useless info:
Code: | vnd@vndbox ~ $ glxinfo
glxinfo: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted
vnd@vndbox ~ $ sudo paxctl -m /usr/bin/glxinfo
vnd@vndbox ~ $ glxinfo
name of display: :0.0
Xlib: extension "GLX" missing on display ":0.0".
( ... )
Xlib: extension "GLX" missing on display ":0.0".
Error: couldn't find RGB GLX visual or fbconfig
Xlib: extension "GLX" missing on display ":0.0".
( ... )
Xlib: extension "GLX" missing on display ":0.0".
84 GLXFBConfigs:
visual x bf lv rg d st colorbuffer ax dp st accumbuffer ms cav
id dep cl sp sz l ci b ro r g b a bf th cl r g b a ns b eat
----------------------------------------------------------------------
Segmentation fault |
/etc/X11/xorg.conf:
Code: | Section "ServerLayout"
Identifier "X.org Configured"
Screen 0 "Screen0" 0 0
InputDevice "Mouse0" "CorePointer"
InputDevice "Keyboard0" "CoreKeyboard"
EndSection
Section "Files"
ModulePath "/usr/lib64/xorg/modules"
FontPath "/usr/share/fonts/misc/"
FontPath "/usr/share/fonts/TTF/"
FontPath "/usr/share/fonts/OTF/"
FontPath "/usr/share/fonts/Type1/"
FontPath "/usr/share/fonts/100dpi/"
FontPath "/usr/share/fonts/75dpi/"
EndSection
Section "Module"
Load "glx"
Load "dbe"
Load "record"
Load "extmod"
EndSection
Section "InputDevice"
Identifier "Keyboard0"
Driver "kbd"
EndSection
Section "InputDevice"
Identifier "Mouse0"
Driver "mouse"
Option "Protocol" "auto"
Option "Device" "/dev/input/mice"
Option "ZAxisMapping" "4 5 6 7"
EndSection
Section "Monitor"
Identifier "Monitor0"
VendorName "Monitor Vendor"
ModelName "Monitor Model"
EndSection
Section "Device"
Identifier "Card0"
Driver "nvidia"
Option "AddARGBGLXVisuals" "True"
Option "NoLogo" "True"
BusID "PCI:1:0:0"
EndSection
Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
SubSection "Display"
Viewport 0 0
Depth 16
EndSubSection
SubSection "Display"
Viewport 0 0
Depth 24
EndSubSection
EndSection |
Any help would be nice.
Last edited by vnd on Sat Jan 29, 2011 10:14 am; edited 1 time in total |
|
Back to top |
|
|
causality Apprentice
Joined: 03 Jun 2006 Posts: 236
|
Posted: Sat Jan 29, 2011 12:49 am Post subject: |
|
|
Hello,
I also use Gentoo Hardened and have always used the proprietary nVidia drivers.
FYI, you can usually get more information about these errors by checking /var/log/pax.log and /var/log/grsec.log.
I am familiar with the error messages you received, which come from the PaX system:
Code: | glxgears: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted |
That almost always indicates that the binary (in this case, /usr/bin/glxgears) has not had the mprotect() restrictions lifted.
If you run "paxctl -v /usr/bin/glxgears" I believe this is what you will see:
Code: | localhost ~ # paxctl -v /usr/bin/glxgears
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
- PaX flags: -------x-e-- [/usr/bin/glxgears]
RANDEXEC is disabled
EMUTRAMP is disabled
|
A working glxgears on a system like yours or mine needs to look like this:
Code: | localhost ~ # paxctl -v /usr/bin/glxgears
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>
- PaX flags: -----m-x-e-- [/usr/bin/glxgears]
MPROTECT is disabled
RANDEXEC is disabled
EMUTRAMP is disabled
|
Your /usr/bin/Xorg (/usr/bin/X is a symlink to /usr/bin/Xorg) needs to have the same PaX flags. I believe it does not have them, and the lack of them is why it could not load the GLX extension. Check your /var/log/Xorg.0.log file and you are likely to see similar "operation not permitted" errors.
For a desktop user, the mprotect() restriction is easily the most troublesome one offered by PaX. It is a good protection and the security offered by PaX is not complete without it, but you will experience these issues anytime you upgrade or otherwise re-emerge packages that want to use GLX (including things like mplayer). If you set the correct flags for glxgears now, and later a new version of glxgears is emerged as part of a system update, you will have to set the PaX flags for glxgears again since "paxctl" operates on files and the new version replaces the old file.
Personally, I deal with this with a simple script I wrote containing all the "paxctl" commands I need to set all the needed flags for all my binaries that need them. I just run this script (as root of course) whenever I emerge something that I know will need those flags. That works for me and is no real burden now that I am familiar with how PaX works, but you will need to find some way to manage this if you want mprotect() protections on a desktop system. Systems intended to be servers are a different story, as they don't typically need OpenGL and 3D graphics.
You may want to decide whether you really need the mprotect() restrictions in order to achieve the level of security you need. You will also have issues emerging amarok and wine -- the configure part of the build process will get killed off by PaX for both of these if you use mprotect() restrictions, causing the emerge to fail. There are (manual, hackish) ways to work around that, but in both cases it is not a bug or a flaw; it is really the mprotect() restriction working as designed. |
|
Back to top |
|
|
vnd n00b
Joined: 28 Jan 2011 Posts: 19
|
Posted: Sat Jan 29, 2011 10:10 am Post subject: |
|
|
Thanks, I forget about changing my Xorg flags. Now glxgears shows even betters statistics than before. :)
For other people with the same problem, this commands should make your programs working:
Code: | paxctl -m /usr/bin/Xorg
paxctl -m $name |
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|