Bug#605090:

To: 605090@bugs.debian.org
Subject: Bug#605090:
From: Jacob Appelbaum <jacob@appelbaum.net>
Date: Sun, 20 Dec 2015 23:14:20 +0000
Message-id: <[🔎] CAFggDF1MyWTnZSuk5u6T7k8DASKrJiUxKHGci8pq_Qq746__dw@mail.gmail.com>
Reply-to: Jacob Appelbaum <jacob@appelbaum.net>, 605090@bugs.debian.org
To make my Debian Jessie system work with pax, I had to set pax flags
for these three binaries:

  paxctl -c -m /usr/bin/gnome-shell
  paxctl -c -m /usr/bin/gnome-session
  paxctl -c -m /usr/bin/pulseaudio

If you don't want to modify the binary, you can also set the
attributes in the file system:

  setfattr -n user.pax.flags -v m /usr/bin/gnome-shell
  setfattr -n user.pax.flags -v m /usr/bin/gnome-session
  setfattr -n user.pax.flags -v m /usr/bin/pulseaudio

You will need the `attr` package to run the above command. See
https://wiki.debian.org/grsecurity/setfattr for more information. It
may make sense to add a suggestion on the grsec kernel package for
attr.

The above allowed me to properly start GDM and to login to my system.
To use iceweasel and other utilities, I had to modify other things. I
also was able to set `kernel.grsecurity.disable_priv_io=0` after
running the setfattr commands above.

I additionally had to set the following to make the following programs
"work" with this kernel:

  setfattr -n user.pax.flags -v m /usr/bin/seahorse
  setfattr -n user.pax.flags -v m /usr/bin/iceweasel
  setfattr -n user.pax.flags -v m /usr/bin/chromium
  setfattr -n user.pax.flags -v m /usr/lib/chromium/chromium

For those who care pulse audio was also making some log entries about
"denied resource overstep by requesting 25 for RLIMIT_NICE against
limit 0 for /usr/bin/pulseaudio" - I reconfigured it with an edit to
/etc/pulseaudio/daemon.conf to add 'high-priority = no' and the kernel
stopped complaining.

I now only see two grsec denied messages on by Debian jessie system after boot:

[    9.560994] grsec: denied use of ioperm() by
/usr/lib/xorg/Xorg[Xorg:891] uid/euid:0/0 gid/egid:0/0, parent
/usr/sbin/gdm3[gdm3:885] uid/euid:0/0 gid/egid:0/0
[   12.091674] grsec: denied priority change of process
(rtkit-daemon:1066) by /usr/lib/rtkit/rtkit-daemon[rtkit-daemon:1066]
uid/euid:107/107 gid/egid:114/114, parent
/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0

After login - I see the following grsec messages:

[  448.243314] grsec: denied untrusted exec (due to not being in
trusted group and file in non-root-owned directory) of
/run/user/1000/orcexec.pIjl0t by
/usr/bin/pulseaudio[alsa-source-ALC:1617] uid/euid:1000/1000
gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
uid/euid:0/0 gid/egid:0/0
[  448.243366] grsec: denied untrusted exec (due to not being in
trusted group and file in non-root-owned directory) of
/home/error/orcexec.iEBctM by
/usr/bin/pulseaudio[alsa-source-ALC:1617] uid/euid:1000/1000
gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
uid/euid:0/0 gid/egid:0/0
[  448.243405] grsec: denied untrusted exec (due to not being in
trusted group and file in world-writable directory) of
/tmp/orcexec.VrI4V4 by /usr/bin/pulseaudio[alsa-source-ALC:1617]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0
[  448.999276] grsec: denied RWX mmap of <anonymous mapping> by
/usr/share/system-config-printer/applet.py[applet.py:1661]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000
gid/egid:1000/1000
[  448.999349] grsec: denied untrusted exec (due to not being in
trusted group and file in world-writable directory) of /tmp/ffixSCBQp
by /usr/share/system-config-printer/applet.py[applet.py:1661]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000
gid/egid:1000/1000
[  448.999395] grsec: denied untrusted exec (due to not being in
trusted group and file in world-writable directory) of
/var/tmp/ffiQhZWhL by
/usr/share/system-config-printer/applet.py[applet.py:1661]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000
gid/egid:1000/1000
[  448.999422] grsec: denied untrusted exec (due to not being in
trusted group and file in world-writable directory) of
/dev/shm/ffi5YViJ6 by
/usr/share/system-config-printer/applet.py[applet.py:1661]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/usr/bin/gnome-session[x-session-manag:1464] uid/euid:1000/1000
gid/egid:1000/1000
[  448.999457] grsec: more alerts, logging disabled for 10 seconds
[  449.760884] EXT4-fs (sdb1): mounted filesystem with ordered data
mode. Opts: (null)

To eliminate most of those issues, I ran:

  setfattr -n user.pax.flags -v m /usr/bin/seahorse
  setfattr -n user.pax.flags -v m /usr/bin/gjs-console
  setfattr -n user.pax.flags -v m /usr/bin/python

I was left with:

[ 1802.373906] grsec: denied untrusted exec (due to not being in
trusted group and file in non-root-owned directory) of
/run/user/1000/orcexec.bCtW1V by
/usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
uid/euid:0/0 gid/egid:0/0
[ 1802.373967] grsec: denied untrusted exec (due to not being in
trusted group and file in non-root-owned directory) of
/home/error/orcexec.SzaIXb by
/usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
gid/egid:1000/1000, parent /lib/systemd/systemd[systemd:1]
uid/euid:0/0 gid/egid:0/0
[ 1802.374015] grsec: denied untrusted exec (due to not being in
trusted group and file in world-writable directory) of
/tmp/orcexec.5bPuTr by /usr/bin/pulseaudio[alsa-source-ALC:3038]
uid/euid:1000/1000 gid/egid:1000/1000, parent
/lib/systemd/systemd[systemd:1] uid/euid:0/0 gid/egid:0/0

I have no idea why pulse audio is trying to exec anything but audio
works fine regardless - so I'm just going to ignore it.

After I was finished with my X session, I logged out and grsec emitted
the following:

  [ 1275.111624] grsec: denied use of ioperm() by
/usr/lib/xorg/Xorg[Xorg:1956] uid/euid:0/0 gid/egid:0/0, parent
/usr/sbin/gdm3[gdm3:885] uid/euid:0/0 gid/egid:0/0

It might make sense to have a different bug where we track things that
need to be done for user space. That said - this is now my main kernel
- hooray!

Here is my /etc/sysctl.d/grsec.conf file for the above observations:
# Disable privileged io: iopl(2) and ioperm(2)
# Warning: Xorg needs it to be 0
kernel.grsecurity.disable_priv_io = 1

# Chroot restrictions
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_restrict_nice = 1
kernel.grsecurity.chroot_execlog = 1
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_findtask = 1

# Trusted execution
# Add users to the 64040 (grsec-tpe) group to enable them to execute binaries
# from untrusted directories
kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 64040
kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1

# Socket restrictions
# If the setting is enabled and an user is added to relevant group, she won't
# be able to open this kind of socket
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 64041
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 64042
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 64043

# Auditing
kernel.grsecurity.audit_mount = 1
kernel.grsecurity.audit_chdir = 1
kernel.grsecurity.dmesg = 1
kernel.grsecurity.exec_logging = 1
kernel.grsecurity.resource_logging = 1

# Ptrace
kernel.grsecurity.audit_ptrace = 1
kernel.grsecurity.harden_ptrace = 1

# Protect mounts
kernel.grsecurity.romount_protect = 0

# Prevent symlinks/hardlinks exploits (don't follow symlink on world-writable +t
# folders)
kernel.grsecurity.linking_restrictions = 1
# Prevent writing to fifo not owned in world-writable +t folders
kernel.grsecurity.fifo_restrictions = 1
kernel.grsecurity.execve_limiting = 1
kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.signal_logging = 1
kernel.grsecurity.forkfail_logging = 1
kernel.grsecurity.timechange_logging = 1


# PAX
kernel.pax.softmode = 0

# Disable module loading
# This is not a grsecurity anymore, but you might still want to disable module
# loading so no code is inserted into the kernel
#kernel.modules_disabled=0

# Once you're satisfied with settings, set grsec_lock to 1 so noone can change
# grsec sysctl on a running system
kernel.grsecurity.grsec_lock = 1

# vim: filetype=conf:

As a side note, I found that kernel.modules_disabled=1 caused me a
bunch of problems. It might be interesting to ensure that this is
called before GDM3 login but not beforehand...
Reply to:
Follow-Ups:
- Bug#605090:
  - From: Yves-Alexis Perez <corsac@debian.org>
- Bug#605090:
  - From: Mickaël Salaün <mic@digikod.net>
Prev by Date: Bug#605090: Git tag signing
Next by Date: Processed: 808410
Previous by thread: Bug#605090: Git tag signing
Next by thread: Bug#605090:
Index(es):
- Date
- Thread