"Deny server sockets to group" not working as expected

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

"Deny server sockets to group" not working as expected

Postby martinvegter » Tue Feb 03, 2015 4:57 pm

I have compiled kernel with CONFIG_GRKERNSEC_SOCKET_SERVER enabled:

Code: Select all
[*] Socket restrictions 
 [ ]   Deny any sockets to group (NEW) 
 [ ]   Deny client sockets to group (NEW)
 [*]   Deny server sockets to group


I have expected, this will only prevent opening listening (server) ports and allow client ports.

However, when I start chrome browser, I iget following errors in the log (and the browser does not start)

Code: Select all
 grsec: denied bind() by /usr/lib/chromium/chromium[NetworkChangeNo:3920]
 grsec: denied bind() by /usr/lib/chromium/chromium[WorkerPool/3922:3922]
 grsec: denied bind() by /usr/lib/chromium/chromium[Chrome_IOThread:3934]
 grsec: denied bind() by /usr/lib/chromium/chromium[NetworkChangeNo:3966]
 grsec: denied bind() by /usr/lib/chromium/chromium[WorkerPool/3968:3968]
 grsec: denied bind() by /usr/lib/chromium/chromium[Chrome_IOThread:3980]


When I start chrome from the terminal, I see following error mesage:

Code: Select all
[8539:8552:0204/102542:ERROR:address_tracker_linux.cc(138)] Could not bind NETLINK socket: Permission denied
libudev: udev_monitor_enable_receiving: bind failed: Permission denied
[8539:8566:0204/102542:FATAL:udev_linux.cc(31)] Check failed: 0 == ret (0 vs. -1)
Aborted


other clients such as telnet and nc work OK, i.e.:

Code: Select all
nc www.google.com 80
telnet www.google.com 80


Does anybody know why chrome does nort start?


UPDATE:
Firefox browser works fine. After some more investigation, this seems to be some problem limited to chrome (chromium) browser, not caused by grsecurity.
But just in case anybody has any insight, I would appreciate it very much
martinvegter
 
Posts: 6
Joined: Tue Jan 27, 2015 8:49 am

Return to grsecurity support

cron