Grsec X11 Rbac Selinux Priviledged/Raw I/O Mprotect Firefox
On 11/06/2011 06:19 PM, Kevin Chadwick wrote:
> I've been using OpenBSD for a while now which has priv dropping X and
> the machdep.allowaperture=[0|1|2]. Theo has said firefox also
> annoyingly uses it's own memory management.
Hi, I've run many an OpenBSD boxes in my time.
Regarding Xorg. We do not drop privileges, that might be a good idea.
However, our X runs with almost full privileges. All toolchain
hardening is on except bind now. On the kernel side, X will run with
all hardening with the possible exception of CONFIG_GRKERNSEC_IO. If
you can run RBAC, it will help protect against rogue processes trying to
do iopl/ioperm calls.
As for firefox, I think Theo is referring to its built in malloc (I
forget what its called). I remember it causing problems, but not the
details. It may be related to its JIT which needs MPROTECT turned off
to run properly.
> I have a few questions about Grsec that I'd love some input on as I am
> struggling to find the answers to them at the moment.
> I've read on the Gentoo-hardened archive and grsec config help that the
> iopl and ioperm should be protected with rbac if priviledged I/O is
> So you can disable the RAW_IO capability to all and sacrifice xrestarts.
> But if X already has all priviledges then I guess your just adding a
> hurdle which is made a bit higher with grsec, so obfuscation really
> and not complete security. Is there anything else you can do or is that
> what is meant by "You should use RBAC if you allow priviledged I/O"?
I would try running it with CONFIG_GRKERNSEC_IO set and see if it works.
Try nvidia with nouveau driver, if you have that. My guess is
proprietary drivers are going to get you in trouble here, so if you have
an ATI, you may have no choice in the matter.
> The gentoo-handbook says something like the question of selinux|rbac|
> rsbac is a controversial one. It seems rsbac is the most secure but
> more difficult to use and has less starter policies around. Gentoo
> seems to have selinux policies. Does selinux have any more to offer than
> rbac for protecting X?
Its recommended that with workstations you run SELinux in targeted mode,
not strict. So, while it might offer something more for X (and I'm not
sure it does), this means loosening other restrictions that RBAC would
give you on a workstation.
> Does CONFIG_PAX_MPROTECT_COMPAT have any effect on firefox and did
> mozilla refuse to patch their sources with the if !jit patch?
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : firstname.lastname@example.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535