Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] Starting firefox very slowly on hardened
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
macumazan
n00b
n00b


Joined: 13 Jun 2010
Posts: 4

PostPosted: Sun Nov 03, 2013 4:44 pm    Post subject: [solved] Starting firefox very slowly on hardened Reply with quote

Code:
$ firefox


After ~7-10 minutes firefox in running

In dmesg
Code:

[   63.658776] grsec: Segmentation fault occurred at 00000000000006c4 in /usr/lib64/firefox/firefox[firefox:6850] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/firefox/firefox[firefox:6849] uid/euid:1000/1000 gid/egid:1000/1000
[   63.658787] grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/lib64/firefox/firefox[firefox:6850] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib64/firefox/firefox[firefox:6849] uid/euid:1000/1000 gid/egid:1000/1000



Code:
paxctl -v  /usr/lib64/firefox/firefox
PaX control v0.7
Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/lib64/firefox/firefox]
   RANDEXEC is disabled
   EMUTRAMP is disabled


kernel 3.11.2-hardened config http://bpaste.net/show/146383/

emerge --info http://bpaste.net/show/146384/

USE flags of firefox http://bpaste.net/show/146385/

strace http://bpaste.net/show/146389/


Any ideas are welcome.


Last edited by macumazan on Wed Nov 13, 2013 7:22 am; edited 1 time in total
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Sun Nov 03, 2013 9:03 pm    Post subject: Reply with quote

I have exactly the same problem :cry:
According to this, it should be working now...but it is not... http://hardenedgentoo.blogspot.com/2012/06/default-mprotect-restriction-for.html
I tried both 17 and 24
Back to top
View user's profile Send private message
Anarchy
Developer
Developer


Joined: 29 Jun 2005
Posts: 108

PostPosted: Tue Nov 05, 2013 4:33 am    Post subject: Reply with quote

Tractor Girl wrote:
I have exactly the same problem :cry:
According to this, it should be working now...but it is not... http://hardenedgentoo.blogspot.com/2012/06/default-mprotect-restriction-for.html
I tried both 17 and 24


mprotect must be disabled for now, this is due to ion jit, it is too much work to backport the fixes that will be coming in fx-26. As the mozilla lead I can ensure you that firefox starts in under 2ms on my hardened machine, this is where all mozilla work is performed.
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Fri Nov 08, 2013 11:23 pm    Post subject: Reply with quote

Anarchy wrote:

mprotect must be disabled for now, this is due to ion jit, it is too much work to backport the fixes that will be coming in fx-26. As the mozilla lead I can ensure you that firefox starts in under 2ms on my hardened machine, this is where all mozilla work is performed.

It doesn't work for me. I tried different pax flags but there're always the same errors:
Code:
Nov  9 00:11:21 gentoo kernel: [14465.215301] firefox[22447]: segfault at 0 ip 00000335ac4df2a8 sp 000003ff5b6b54a0 error 4 in r300g_dri.so[335abfd3000+11ba000]
Nov  9 00:11:21 gentoo kernel: [14465.215388] grsec: Segmentation fault occurred at            (nil) in /usr/lib64/firefox/firefox[firefox:22447] uid/euid:1000/1000 gid/egid:1001/1001, parent /usr/lib64/firefox/firefox[firefox:22444] uid/euid:1000/1000 gid/egid:1001/1001
Nov  9 00:11:21 gentoo kernel: [14465.215435] grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds.  Please investigate the crash report for /usr/lib64/firefox/firefox[firefox:22447] uid/euid:1000/1000 gid/egid:1001/1001, parent /usr/lib64/firefox/firefox[firefox:22444] uid/euid:1000/1000 gid/egid:1001/1001
Nov  9 00:11:21 gentoo kernel: [14465.215493] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/lib64/firefox/firefox[firefox:22447] uid/euid:1000/1000 gid/egid:1001/1001, parent /usr/lib64/firefox/firefox[firefox:22444] uid/euid:1000/1000 gid/egid:1001/1001


Here's my current setup:
Code:
gentoo ~ # paxctl-ng -v /usr/bin/firefox
/usr/bin/firefox:
   PT_PAX    : Pemrs
   XATTR_PAX : Pemrs


Code:
gentoo ~ # equery u firefox
[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for www-client/firefox-17.0.9:
 U I
 + + alsa                 : Add support for media-libs/alsa-lib (Advanced Linux Sound Architecture)
 + + bindist              : Disable official Firefox branding (icons, name) which are not binary-redistributable according to upstream.
 - - custom-cflags        : Build with user-specified CFLAGS (unsupported)
 - - custom-optimization  : Fine-tune custom compiler optimizations, setting this is not recommended.
 + + dbus                 : Enable dbus support for anything that needs it (gpsd, gnomemeeting, etc)
 - - debug                : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see
                            http://www.gentoo.org/proj/en/qa/backtraces.xml
 - - gstreamer            : Add support for media-libs/gstreamer (Streaming media)
 - - jit                  : Enable just-in-time compilation for improved performance. May prevent use of some PaX memory protection features in Gentoo
                            Hardened.
 - - libnotify            : Enable desktop notification support
 - - linguas_af           : Afrikaans locale
 - - linguas_ak           : Akan locale
 - - linguas_ar           : Arabic locale
 - - linguas_as           : Assamese locale
 - - linguas_ast          : Asturian locale
 - - linguas_be           : Belarusian locale
 - - linguas_bg           : Bulgarian locale
 - - linguas_bn_BD        : Bengalie locale for Bangladesh
 - - linguas_bn_IN        : Bengali locale for India
 - - linguas_br           : Breton locale
 - - linguas_bs           : Bosnian locale
 - - linguas_ca           : Catalan locale
 - - linguas_cs           : Czech locale
 - - linguas_csb          : Kashubian locale
 - - linguas_cy           : Welsh locale
 - - linguas_da           : Danish locale
 - - linguas_de           : German locale
 - - linguas_el           : Greek locale
 - - linguas_en_GB        : English locale for Britain
 - - linguas_en_ZA        : English locale for South Africa
 - - linguas_eo           : Esperanto locale
 - - linguas_es_AR        : Spanish locale for Argentina
 - - linguas_es_CL        : Spanish locale for Chile
 - - linguas_es_ES        : Spanish locale for Spain
 - - linguas_es_MX        : Spanish locale for Mexico
 - - linguas_et           : Estonian locale
 - - linguas_eu           : Basque locale
 - - linguas_fa           : Persian locale
 - - linguas_fi           : Finnish locale
 - - linguas_fr           : French locale
 - - linguas_fy_NL        : Frisian language locale for the Netherlands
 - - linguas_ga_IE        : Irish locale for Ireland
 - - linguas_gd           : Gaelic locale
 - - linguas_gl           : Galician locale
 - - linguas_gu_IN        : Gujarati locale for India
 - - linguas_he           : Hebrew locale
 - - linguas_hi_IN        : Hindi locale
 - - linguas_hr           : Croatian locale
 - - linguas_hu           : Hungarian locale
 - - linguas_hy_AM        : Armenian locale
 - - linguas_id           : Indonesian locale
 - - linguas_is           : Icelandic locale
 - - linguas_it           : Italian locale
 - - linguas_ja           : Japanese locale
 - - linguas_kk           : Kazakh locale
 - - linguas_km           : Khmer locale
 - - linguas_kn           : Kannada locale
 - - linguas_ko           : Korean locale
 - - linguas_ku           : Kurdish (latin) locale
 - - linguas_lg           : Ganda locale
 - - linguas_lt           : Lithuanian locale
 - - linguas_lv           : Latvian locale
 - - linguas_mai          : Maithili locale
 - - linguas_mk           : Macedonian locale
 - - linguas_ml           : Malayalam locale
 - - linguas_mr           : Marathi locale
 - - linguas_nb_NO        : Norwegian (Bokmal) locale for Norway
 - - linguas_nl           : Dutch locale
 - - linguas_nn_NO        : Nynorsk locale for Norway
 - - linguas_nso          : Northern Sotho locale
 - - linguas_or           : Oriya locale
 - - linguas_pa_IN        : Punjabi locale for India
 + + linguas_pl           : Polish locale
 - - linguas_pt_BR        : Portuguese locale for Brasil
 - - linguas_pt_PT        : Portuguese locale for Portugal
 - - linguas_rm           : Romansh locale
 - - linguas_ro           : Romanian locale
 - - linguas_ru           : Russian locale
 - - linguas_si           : Sinhala locale
 - - linguas_sk           : Slovak locale
 - - linguas_sl           : Slovenian locale
 - - linguas_son          : Songhai locale
 - - linguas_sq           : Albanian locale
 - - linguas_sr           : Serbian locale
 - - linguas_sv_SE        : Swedish locale for Sweden
 - - linguas_ta           : Tamil locale
 - - linguas_ta_LK        : Tamil locale for Sri Lanka
 - - linguas_te           : Telugu locale
 - - linguas_th           : Thai locale
 - - linguas_tr           : Turkish locale
 - - linguas_uk           : Ukrainian locale
 - - linguas_vi           : Vietnamese locale
 - - linguas_zh_CN        : Chinese locale for Peoples Republic of China
 - - linguas_zh_TW        : Chinese locale for Taiwan
 - - linguas_zu           : Zulu locale
 + + minimal              : Prevent sdk and headers from being installed
 - - startup-notification : Enable application startup event feedback mechanism
 - - system-sqlite        : Use the system-wide dev-db/sqlite installation with secure-delete enabled
 - - wifi                 : Enable wireless network functions


Grsecurity kernel config:
Code:
# Security options
#

#
# Grsecurity
#
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
# CONFIG_GRKERNSEC_CONFIG_SERVER is not set
CONFIG_GRKERNSEC_CONFIG_DESKTOP=y
CONFIG_GRKERNSEC_CONFIG_VIRT_NONE=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y

#
# Default Special Groups
#
CONFIG_GRKERNSEC_PROC_GID=10

#
# Customize Configuration
#

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_MPROTECT_COMPAT=y
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_STACKLEAK=y
CONFIG_PAX_MEMORY_STRUCTLEAK=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y

#
# Memory Protections
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl Support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
# CONFIG_KEYS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_PATH=y
CONFIG_LSM_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_SECURITY_SMACK is not set
# CONFIG_SECURITY_TOMOYO is not set
CONFIG_SECURITY_APPARMOR=y
CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
CONFIG_SECURITY_APPARMOR_COMPAT_24=y
# CONFIG_IMA is not set
# CONFIG_DEFAULT_SECURITY_SELINUX is not set
# CONFIG_DEFAULT_SECURITY_APPARMOR is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_XOR_BLOCKS=y
CONFIG_CRYPTO=y
Back to top
View user's profile Send private message
Tractor Girl
Apprentice
Apprentice


Joined: 16 May 2013
Posts: 159

PostPosted: Sat Nov 09, 2013 11:09 pm    Post subject: Reply with quote

Finally it's working!
It's strange but it seems to work with mprotect enabled too!
The solution for me was to add user to "video" group.
Pax is in "hardcore" mode (PeRMs - I just disabled SEGMEXEC cause from what I understood it's working only in x86) and everything seem to work just fine.

Code:
gentoo firefox # pspax |grep firefox
tractor_girl    10847  PeMRs  w^x  ET_DYN     firefox           =

Code:
gentoo firefox # paxctl-ng -v firefox
firefox:
   PT_PAX    : PeMRs
   XATTR_PAX : PeMRs
Back to top
View user's profile Send private message
macumazan
n00b
n00b


Joined: 13 Jun 2010
Posts: 4

PostPosted: Wed Nov 13, 2013 7:22 am    Post subject: Reply with quote

Tractor Girl wrote:
Finally it's working!
It's strange but it seems to work with mprotect enabled too!
The solution for me was to add user to "video" group.


Wow! That's really works. Thanks!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum