grsecurity forums

[micah]

I've applied the 4.1.4 patch, and compiled the kernel using gcc5. When I try and do a 'exec startx' as a regular user, after logging in, I am unable to use my keyboard and mouse in the graphical environment.

i found part of my problem was because of this:
[ 16.903401] grsec: denied use of ioperm() by /bin/vmmouse_detect[vmmouse_detect:842] uid/euid:0/0 gid/egid:0/0, parent /lib/systemd/systemd-udevd[systemd-udevd:803] uid/euid:0/0 gid/egid:0/0

and another one for ioperm() for /usr/bin/Xorg

I could make those go away by disabling CONFIG_GRKERNSEC_IO, but this surprises me because I am running the latest Xorg, and Debian unstable, and the help information for this option makes it seem like this is only necessary for very old X.

If I disable CONFIG_GRKERNSEC_IO I dont get that error, but I still can't use my keyboard/mouse in X, the only grsec related message i get is:

[ 94.945270] grsec: denied resource overstep by requesting 21 for RLIMIT_NICE against limit 0 for /usr/bin/xinit[xinit:3367] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/startx[startx:2896] uid/euid:1000/1000 gid/egid:1000/1000

[micah]

vmmouse_detect is:

vmmouse_detect is a tool for detecting if running in a VMware environment where vmmouse vmmouse client is enabled, and 1 if not.

I dont use vmware, but the xserver-xorg-input-vmmouse package got installed as a dependency from xserver-xorg-input-all. I can remove that package, but it seems like that is a redherring.

I'm guessing this one was the more interesting one:

grsec: denied use of ioperm() by /usr/bin/Xorg[Xorg:3355] uid/euid:1000/0 gid/egid:1000/0, parent /usr/bin/xinit[xinit:3354] uid/euid:1000/1000 gid/egid:1000/1000

and these entries in the Xorg.log:[ 115.794] (WW) xf86CloseConsole: KDSETMODE failed: Input/output error
[ 115.794] (WW) xf86CloseConsole: VT_GETMODE failed: Input/output error
[ 115.794] (EE)
Fatal server error:
[ 115.794] (EE) xf86CloseConsole: VT_ACTIVATE failed: Input/output error
[ 115.794] (EE)
[ 115.794] (EE)
Please consult the The X.Org Foundation support
at http://wiki.x.org
for help.
[ 115.794] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
[ 115.794] (EE)
[ 115.794] (WW) xf86CloseConsole: KDSETMODE failed: Input/output error
[ 115.794] (WW) xf86CloseConsole: VT_GETMODE failed: Input/output error
[ 115.794] (EE)
FatalError re-entered, aborting
[ 115.794] (EE) xf86CloseConsole: VT_ACTIVATE failed: Input/output error
[ 115.794] (EE)

[micah]

The ioperm() denial may actually be a red-herring altogether, as discussion on the #grsecurity irc channel has uncovered someone running Ubuntu who gets these denials, but has no issue using X at all.

[micah]

I found this related thread, however it seems as if the issue was fixed when this came up before, maybe the issue came back?

viewtopic.php?f=3&t=4034

[micah]

attempted a few more things, found this:

Aug 05 09:41:33 muck systemd[2798]: Failed to enumerate devices: Permission denied
Aug 05 09:41:33 muck systemd[2798]: Failed to get udev device from devnum 250:0: Permission denied
Aug 05 09:41:33 muck systemd[2798]: Failed to get udev device from devnum 8:17: Permission denied
Aug 05 09:41:33 muck systemd[2798]: Failed to fully start up daemon: Permission denied
Aug 05 09:41:48 muck systemd[2798]: Failed to get udev device from devnum 250:0: Permission denied
Aug 05 09:41:48 muck systemd[2798]: Failed to get udev device from devnum 8:17: Permission denied

[spender]

Looks like you're running with GRKERNSEC_SYSFS_RESTRICT=y. As it says on the config help, it shouldn't be enabled for desktops.

-Brad

[micah]

Looks like you're running with GRKERNSEC_SYSFS_RESTRICT=y. As it says on the config help, it shouldn't be enabled for desktops.
-Brad

thanks, i'll try that.

by the way, the config help doesn't actually say that for this option!