Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Gentoo Hardened (http://www.linux-archive.org/gentoo-hardened/)
-   -   The last browser (opera) to work with grsec by default may be succombing (ptrace). (http://www.linux-archive.org/gentoo-hardened/608387-last-browser-opera-work-grsec-default-may-succombing-ptrace.html)

"Tóth Attila" 12-09-2011 12:41 PM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
Cannot start Firefox as well. Libreoffice either.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2011.December 9.(P) 14:17 időpontban Kevin Chadwick ezt *rta:
> Has anyone tried Opera 11.60 with a grsecurity patched kernel.
>
> 11.52 worked fine but 11.60 is segfaulting with "denied ptrace
> of /usr/lib/opera/opera"
>
> The flash plugin seems to load on startup rather than on demand
> requiring a pluginpath.ini, if you have say a sandboxed flash enabled
> firefox browser.
>

"Anthony G. Basile" 12-09-2011 07:26 PM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
On 12/09/2011 08:41 AM, "Tóth Attila" wrote:
> Cannot start Firefox as well. Libreoffice either.
> -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD,
> Radiologist, +36-20-825-8057 2011.December 9.(P) 14:17 időpontban Kevin
> Chadwick ezt *rta:
>> > Has anyone tried Opera 11.60 with a grsecurity patched kernel.
>> >
>> > 11.52 worked fine but 11.60 is segfaulting with "denied ptrace
>> > of /usr/lib/opera/opera"
>> >
>> > The flash plugin seems to load on startup rather than on demand
>> > requiring a pluginpath.ini, if you have say a sandboxed flash enabled
>> > firefox browser.
>> >
>

We need bug reports on these because I am not experiencing any problems
with the latest hardened-kernels and firefox/libreoffice. I haven't
tried opera but will now. The reason for bug report is that it may take
a while to narrow it down as we back and forth.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

Alex Efros 12-11-2011 11:05 PM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
Hi!

I've just updated to opera-11.60.1185 and firefox-bin-8.0.
Opera work just fine, but firefox fail to start (hangs using 100% CPU)
because paxmarking -m isn't enough. To fix firefox paxmarking -r needed too:
paxctl -r /opt/firefox/firefox

I'm using only GrSec+PaX, so there are may be also SELinux/RBAC related issues.

--
WBR, Alex.

Kevin Chadwick 12-12-2011 05:54 PM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
On Mon, 12 Dec 2011 02:05:04 +0200
Alex Efros <powerman@powerman.name> wrote:

> Hi!
>
> I've just updated to opera-11.60.1185 and firefox-bin-8.0.
> Opera work just fine,

Interesting and thanks, I have the same build but as I should have
stated earlier just a GrSec+Pax kernel on arch linux and 11.52 works
fine but 11.60 fails with ptrace denied by grsec. Do you have the
following line set to y in your kernel config?

"CONFIG_GRKERNSEC_HARDEN_PTRACE=y"

> but firefox fail to start (hangs using 100% CPU)
> because paxmarking -m isn't enough. To fix firefox paxmarking -r needed too:
> paxctl -r /opt/firefox/firefox
>
> I'm using only GrSec+PaX, so there are may be also SELinux/RBAC related issues.

Yeah it's been like that for a while. I think gentoo-hardened
automatically sets those pax flags. See this link.

"http://hardenedgentoo.blogspot.com/2011/06/firefox-5-with-mprotect-onof-course.html"

--
Kc

Kevin Chadwick 12-12-2011 06:52 PM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
On Mon, 12 Dec 2011 18:54:17 +0000
Kevin Chadwick wrote:

> Do you have the
> following line set to y in your kernel config?
>
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"

No need to check that it was just the debugger trying to attach.

Alex Efros 12-12-2011 07:49 PM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
Hi!

On Mon, Dec 12, 2011 at 06:54:17PM +0000, Kevin Chadwick wrote:
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"

No, I don't have this one.

> Yeah it's been like that for a while. I think gentoo-hardened
> automatically sets those pax flags. See this link.

Firefox's ebuild set only -m flag, which isn't enough.

--
WBR, Alex.

Kevin Chadwick 12-13-2011 11:50 AM

The last browser (opera) to work with grsec by default may be succombing (ptrace).
 
On Mon, 12 Dec 2011 19:52:36 +0000
Kevin Chadwick wrote:

> >
> > "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
>
> No need to check that it was just the debugger trying to attach.

"http://my.opera.com/ruario/blog/2011/12/09/crash-on-startup-color-inversion-11-60"

A bug in Opera from adding gpu acceleration was the problem, I have X
running as a normal user with just the cap_dac_read_search capability
and my framebuffer line for my test laptop was slightly wrong and I
guess defaulting to 16bit.

Sorry for any time wasted.


All times are GMT. The time now is 10:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.