| 1 |
Hi, |
| 2 |
|
| 3 |
I successfully switched to hardened profile during the last week and it was |
| 4 |
quite painless. I think I can hand out some praise for the great work done |
| 5 |
on Gentoo Hardened. :) |
| 6 |
|
| 7 |
Just one thing puzzles me a bit. I activated pax in hardened sources and |
| 8 |
this resulted in quite some segfaulting processes due to mprotect. I found |
| 9 |
lines like the following in the logs. |
| 10 |
|
| 11 |
Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
| 12 |
|
| 13 |
I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list |
| 14 |
[1] of binaries where I had to do this includes some stuff, where mprotect |
| 15 |
would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the |
| 16 |
docs (which otherwise are really helpful :) about what to expect for |
| 17 |
excpetions from mprotect. Is this expected behaviour or have I made some |
| 18 |
mistake in my configuration? |
| 19 |
|
| 20 |
|
| 21 |
Markus |
| 22 |
|
| 23 |
[1] |
| 24 |
/usr/lib64/courier/courier-authlib/authdaemond |
| 25 |
/usr/sbin/console-kit-daemon |
| 26 |
/usr/libexec/polkitd |
| 27 |
/usr/bin/xfconf-query |
| 28 |
/usr/lib64/xfce4/xfconf/xfconfd |
| 29 |
/usr/bin/xscreensaver |
| 30 |
/usr/bin/xfce4-session |
| 31 |
/usr/bin/gkrellm |
| 32 |
/usr/bin/Xorg |
| 33 |
/usr/bin/xfdesktop |
| 34 |
/usr/bin/xfce4-panel |
| 35 |
/usr/bin/Terminal |
| 36 |
/usr/libexec/udisks-daemon |
| 37 |
/usr/bin/xfce4-session-logout |
| 38 |
/usr/bin/emacs-23 |
| 39 |
/usr/bin/sudo |
| 40 |
/usr/bin/perl |
| 41 |
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin |
| 42 |
/usr/bin/xfce4-mixer |
| 43 |
/usr/bin/python2.7 |
| 44 |
/usr/libexec/git-core/git |
| 45 |
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 |
| 46 |
|
| 47 |
|
| 48 |
-- |
| 49 |
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod |
| 50 |
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the |
| 51 |
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot |
| 52 |
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, |
| 53 |
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. |
Archives