grsecurity forums

[Utini]

Hey there,
today I switched to linux-grsec by installing the kernel + paxd. After booting linux-grsec the first time I encountered a few errors which I displayed with "sudo dmesg":

Code: Select all

[    3.763114] grsec: denied kernel module auto-load of fuse by uid 120
[    9.873579] grsec: denied kernel module auto-load of fuse by uid 1000


When starting iceweasel:

Code: Select all

[  151.744072] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/iceweasel/iceweasel[iceweasel:1509] uid/euid:1000/1000 gid/egid:100/100, parent /usr/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0


Complete "sudo dmesg" output:
http://pastebin.com/SMvsefYv

I couldn't really find anything in google but I believe that it isn't wise to have grsec block auto-load? And iceweasel shouldn't be blocked either

Any ideas what I need to configure/change in grsec/paxd?

Thanks !

[spender]

If you want fuse to be loaded into the kernel, then simply modify /etc/rc.local to do a 'modprobe fuse'

Preventing auto-loading of kernel modules by unprivileged users is part of MODHARDEN and what you're seeing is it working as intended. It's our view that introducing new code into the kernel is a privileged operation that should not be performed by unprivileged accounts on the system.

Iceweasel generates code at runtime, therefore it needs MPROTECT disabled on it. I don't know what mechanism Debian prefers for doing this (perhaps paxd as you mentioned) so follow whatever documentation is provided there. You may be able to simply do:

Code: Select all

setfattr -n user.pax.flags -v "em" /usr/lib/iceweasel/iceweasel

-Brad

[Utini]

Oh thanks for that info.

To be honest I dont know what fuse is, what it does and what it is good/bad for. And now I am wondering wether I should use fuse (which I guess so since it is part of Arch linux?) or not (but could that potentialy break things?).

Thanks in advance

@edit: for iceweasel I already answered in this thread but my post is waiting for approval: viewtopic.php?f=3&t=3980&start=15

[strcat]

Your file manager probably wants to use it for functionality like trash, using archives as file systems, etc. If you do want it to work, just `echo fuse > /etc/modules-load.d/fuse.conf` and `modprobe fuse` to make it work before rebooting.

I didn't have an exception for iceweasel in the default paxd.conf. I added it but I don't want to tag a release right now, so just do the same locally in /etc/paxd.conf for now:

https://github.com/thestinger/paxd/comm ... f04e4be3da

[strcat]

FWIW, it would be helpful if you could test without the PAGEEXEC exception (p). I'd like to remove those for the SpiderMonkey-based projects but I don't have time to thoroughly test it myself. Last time I tried, there were still occasional crashes even after they supposedly fixed it.

[PaX Team]

Last time I tried, there were still occasional crashes even after they supposedly fixed it.

according to http://jandemooij.nl/blog/2014/02/18/us ... 2286527152 you can set JS_DISABLE_SLOW_SCRIPT_SIGNALS=1 and get rid of those dreaded mprotects... reading that blog and the linked bugzilla entries shows just how much of a clusterfuck this whole idea is.

[Utini]

Well as root I did:

echo fuse > /etc/modules-load.d/fuse.conf
modprobe fuse

After reboot I get stuck at loading the kernel with the following error:
snd_hda_intel 0000:00:03.0: failed to add i915 component master (-19)

Code: Select all

sneida@_____:~$ optirun screenfetch
                   -`
                  .o+`                 sneida@_____
                 `ooo/                 OS: Arch Linux
                `+oooo:                Kernel: x86_64 Linux 4.3.3-2-ARCH
               `+oooooo:               Uptime: 2m
               -+oooooo+:              Packages: 882
             `/:-:++oooo+:             Shell: optirun screenfetch
            `/++++/+++++++:            Resolution: 3200x1800
           `/++++++++++++++:           DE: Gnome
          `/+++ooooooooooooo/`         WM: GNOME Shell
         ./ooosssso++osssssso+`        WM Theme: Adwaita
        .oossssso-````/ossssss+`       GTK Theme: Numix [GTK2/3]
       -osssssso.      :ssssssso.      Icon Theme: Numix-Circle
      :osssssss/        osssso+++.     Font: Cantarell 11
     /ossssssss/        +ssssooo/-     CPU: Intel Core i7-4702HQ CPU @ 3.2GHz
   `/ossssso+/:-        -:/+osssso+-   GPU: GeForce GT 750M
  `+sso+:-`                 `.-/+oso:  RAM: 1224MiB / 15955MiB
 `++:.                           `-/+/
 .`                                 `/