On dim., 2015-12-20 at 23:14 +0000, Jacob Appelbaum wrote: > To make my Debian Jessie system work with pax, I had to set pax flags > for these three binaries: > > paxctl -c -m /usr/bin/gnome-shell > paxctl -c -m /usr/bin/gnome-session > paxctl -c -m /usr/bin/pulseaudio > > If you don't want to modify the binary, you can also set the > attributes in the file system: > > setfattr -n user.pax.flags -v m /usr/bin/gnome-shell > setfattr -n user.pax.flags -v m /usr/bin/gnome-session > setfattr -n user.pax.flags -v m /usr/bin/pulseaudio For people reading this at home. Don't just blindly apply those commands to your system, please check the grsecurity/PaX documentation before. You can find bits of them at https://en.wikibooks.org/wiki/Grsecurity > > You will need the `attr` package to run the above command. See > https://wiki.debian.org/grsecurity/setfattr for more information. It > may make sense to add a suggestion on the grsec kernel package for > attr. I can do that. > > The above allowed me to properly start GDM and to login to my system. > To use iceweasel and other utilities, I had to modify other things. I > also was able to set `kernel.grsecurity.disable_priv_io=0` after > running the setfattr commands above. Good to know. With modesetting drivers I think privileged I/O is not useful anymore in Xorg. > > I additionally had to set the following to make the following programs > "work" with this kernel: > > setfattr -n user.pax.flags -v m /usr/bin/seahorse > setfattr -n user.pax.flags -v m /usr/bin/iceweasel > setfattr -n user.pax.flags -v m /usr/bin/chromium > setfattr -n user.pax.flags -v m /usr/lib/chromium/chromium > > For those who care pulse audio was also making some log entries about > "denied resource overstep by requesting 25 for RLIMIT_NICE against > limit 0 for /usr/bin/pulseaudio" - I reconfigured it with an edit to > /etc/pulseaudio/daemon.conf to add 'high-priority = no' and the kernel > stopped complaining. Ok. > > > > It might make sense to have a different bug where we track things that > need to be done for user space. That said - this is now my main kernel > - hooray! You can try to open relevant bugs to the relevant packages, but in some case it'll just be closed as “wontfix” because the package really needs rewritable code segments, or upstream doesn't have manpower to change it, or whatever. > > > As a side note, I found that kernel.modules_disabled=1 caused me a > bunch of problems. It might be interesting to ensure that this is > called before GDM3 login but not beforehand... Indeed, modules_disabled=1 is really restrictive, but it also prevents a robust way to prevent inserting code in the kernel, and improving the userspace/kernelspace barrier. I mostly use it on server boxes, where I first run a standard kernel, do everything I need to do, then pick all loaded modules from lsmod and put them in /etc/initramfs-tools/modules to have them loaded from the initramfs. Then set kernel.modules_disabled=1 to prevent any further modification to the running kernel. Regards, -- Yves-Alexis
Attachment:
signature.asc
Description: This is a digitally signed message part