View previous topic :: View next topic |
Author |
Message |
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Wed May 11, 2016 2:41 pm Post subject: Plasma 5 with hardened kernel ?(SOLVED) |
|
|
Hello.
Does Plasma5 run on a hardened kernel ?
The Docs states Code: | Profile
It is highly recommended to use the Plasma desktop profile as it sets a number of important options to ensure things run smoothly.
In order to choose the most suitable profile, first list what's available: |
I only see these hardened profiles.
No plasma hardened profile.
Code: | [14] hardened/linux/amd64 *
[15] hardened/linux/amd64/selinux
[16] hardened/linux/amd64/no-multilib
[17] hardened/linux/amd64/no-multilib/selinux
[18] hardened/linux/amd64/x32
[19] hardened/linux/musl/amd64
[20] hardened/linux/musl/amd64/x32
|
And if it does, what are the head ups.
Thanks in advanced.
Last edited by spidark on Sat Jan 14, 2017 9:31 pm; edited 2 times in total |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Wed May 11, 2016 5:53 pm Post subject: |
|
|
I do run a hardened desktop with stable KDE so far. From time to time I do an Code: | eselect profile set 8;emerge --deep --update --newuse --changed-use --with-bdeps=y @world --pretend; eselect profile set 14 | to look which USE flags I should have in my make.conf to be somehow compatible with the plasma profile (formerly I did the same with the kde profile). FWIW with "hardened" I do mean Grsecurity w/ CONFIG_GRKERNSEC_CONFIG_AUTO=y and CONFIG_GRKERNSEC_CONFIG_DESKTOP=y. |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Wed May 11, 2016 6:10 pm Post subject: |
|
|
toralf wrote: | I do run a hardened desktop with stable KDE so far. From time to time I do an Code: | eselect profile set 8;emerge --deep --update --newuse --changed-use --with-bdeps=y @world --pretend; eselect profile set 14 | to look which USE flags I should have in my make.conf to be somehow compatible with the plasma profile (formerly I did the same with the kde profile). FWIW with "hardened" I do mean Grsecurity w/ CONFIG_GRKERNSEC_CONFIG_AUTO=y and CONFIG_GRKERNSEC_CONFIG_DESKTOP=y. |
Good one toralf.
I have the same settings so i't should work.
Thanks. |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Sat May 14, 2016 5:38 pm Post subject: |
|
|
toralf wrote: | I do run a hardened desktop with stable KDE so far. From time to time I do an Code: | eselect profile set 8;emerge --deep --update --newuse --changed-use --with-bdeps=y @world --pretend; eselect profile set 14 | to look which USE flags I should have in my make.conf to be somehow compatible with the plasma profile (formerly I did the same with the kde profile). FWIW with "hardened" I do mean Grsecurity w/ CONFIG_GRKERNSEC_CONFIG_AUTO=y and CONFIG_GRKERNSEC_CONFIG_DESKTOP=y. |
Hello Toralf.
I'm so close i can feel it,
but things keeps segfaulting all over the place.
The sddm black screen issue resolved by disable-ling mprotect with paxctl.
Code: | paxctl-ng -m /usr/bin/sddm |
But after logging in (sddm) , things hangs at the kde screen.
This does not happen with gentoo-sources kernel, things runs ok.
Played with different settings (paxctl) , this does not fix things.
Tried the paxctl -z on the files that are segfaulting and giving errors.
/usr/bin/kdeinit5
/usr/bin/ksmserver
/usr/bin/baloo_file
/usr/bin/kactivitymanagerd
/usr/bin/krunner
These are some of the erros im recieving
Code: | May 14 17:42:50 [kernel] [ 890.945157] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/baloo_file[baloo_file:5172] uid/euid:1000/1000 gid/egid:100
0/1000, parent /usr/bin/kdeinit5[kdeinit5:5083] uid/euid:1000/1000 gid/egid:1000/1000 |
Code: | May 14 17:47:54 [kernel] [ 1195.331645] PAX: /usr/lib64/liborc-0.4.so.0.23.0 wants MPROTECT disabled on /usr/bin/kdeinit5 |
Code: | May 14 10:05:26 [kernel] [ 3168.974484] kactivitymanage[3502]: segfault at 7fd7d37a9c90 ip 00007fd7ba65a347 sp 00007ffcb02a39a0 error 4 in libQt5Sql.so.5.5.1[7fd7ba645000+47000] |
Things are running smooth with the linux-4.4.8-hardened-r1 but i disabled CONFIG_PAX_MPROTECT
Any ideas ?
Thanks in advanced. |
|
Back to top |
|
|
mirekm Apprentice
Joined: 12 Feb 2004 Posts: 210 Location: Gliwice
|
Posted: Sat May 14, 2016 8:31 pm Post subject: |
|
|
You can create your own profile for that.
You have to create local overlay, and after that:
create directory:
<overlay>/profile/default/hardened/kde/
in that directory create file "parent"
with following contents:
/usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
/usr/portage/profiles/hardened/linux/amd64
Or if you ant to use plasma, or other profiles, you can adjust your configuration. |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Sun May 15, 2016 4:57 am Post subject: |
|
|
mirekm wrote: | You can create your own profile for that.
You have to create local overlay, and after that:
create directory:
<overlay>/profile/default/hardened/kde/
in that directory create file "parent"
with following contents:
/usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
/usr/portage/profiles/hardened/linux/amd64
Or if you ant to use plasma, or other profiles, you can adjust your configuration. |
Hi Mirekm,
So if i understand you correctly, I've could of combined my hardened profile settings with the plasma profile settings in one local overlay. |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Sun May 15, 2016 5:53 am Post subject: |
|
|
Well, you could but it isn't worth it.
USE="" is your custom profile. Basically, all the profile does is set use flags. There is no reason you couldn't run the plasma profile with the hardened use flag or the hardened profile with whatever plasma use flags that pulls in.
If I recall correctly, "hardened" is the only special use flag in the hardened profile _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Sun May 15, 2016 6:24 am Post subject: |
|
|
The Doctor wrote: | Well, you could but it isn't worth it.
USE="" is your custom profile. Basically, all the profile does is set use flags. There is no reason you couldn't run the plasma profile with the hardened use flag or the hardened profile with whatever plasma use flags that pulls in.
If I recall correctly, "hardened" is the only special use flag in the hardened profile |
Hi The Docter,
The tip Toralf gave worked for me, plasma compiled fine, with some use flags adjustments in make.conf of course.
I did not want to fiddle with the profile, because i'm no expert in this field.
The issue i'm having is with grsecurity.
MPROTECT is preventing some plasma needed application from running.
If i start my system with the gentoo-sources kernel, plasma runs fine.
So it has something to do with my MPROTECT setting. |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 8935
|
Posted: Sun May 15, 2016 7:54 am Post subject: |
|
|
The Doctor wrote: | USE="" is your custom profile. Basically, all the profile does is set use flags. |
Plasma profile sets global use flags (e.g. kde qt4 qt5) but then to remove conflicts with certain packages, it switches off qt4 (same for the kde flag) on select packages inside package.use, and switches on minimal for a lot of packages to be able to actually install KDE Applications. So it can be worth symlinking these into your own profile. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3922 Location: Hamburg
|
Posted: Sun May 15, 2016 8:37 am Post subject: |
|
|
Few more ideas :
I do have Code: | $ grep -i pax /etc/portage/make.conf
PAX_MARKINGS="XT" | , my hardened kernel config is https://bpaste.net/show/aa2aa9ed6138 - and you might have a look at Code: | migrate-pax -m
revdep-pax | IMO he IRC channel #gentoo-hardened is a good place. FWIW the hardened profile has not only "hardened", it has the USE flags "pax_kernel xtpax" too. I'd start with a weaker hardened kernel, so maybe unset CONFIG_PAX_NOEXEC=n and friends for a while and then slowly try one option after the other ?
And I'd start and run Code: | paxctl-ng -perms <foo> | on affected programs. Maybe you emerged them in the past and the PAX settings weren't set right ? If you update or re-emerged appropriate packages later than the correct settings should be set by portage.
Last edited by toralf on Sun May 15, 2016 5:09 pm; edited 1 time in total |
|
Back to top |
|
|
mirekm Apprentice
Joined: 12 Feb 2004 Posts: 210 Location: Gliwice
|
Posted: Sun May 15, 2016 4:29 pm Post subject: |
|
|
Quote: | So if i understand you correctly, I've could of combined my hardened profile settings with the plasma profile settings in one local overlay. |
Yes, exactly. The advantage of this solution is, that you don't need to take care about the flags (un)masked by the developers. Everything will work out of the box.
Quote: | Well, you could but it isn't worth it. |
It is worth. II use this solution since several years, and no problems. I don't need to think, what work with hardened profile, what don't work. It is just pragmatic, less work for me. Why should I try to pry open doors. |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Sun May 15, 2016 9:59 pm Post subject: |
|
|
toralf wrote: | Few more ideas :
I do have Code: | $ grep -i pax /etc/portage/make.conf
PAX_MARKINGS="XT" | , my hardened kernel config is https://bpaste.net/show/aa2aa9ed6138 - and you might have a look at Code: | migrate-pax -m
revdep-pax | IMO he IRC channel #gentoo-hardened is a good place. FWIW the hardened profile has not only "hardened", it has the USE flags "pax_kernel xtpax" too. I'd start with a weaker hardened kernel, so maybe unset CONFIG_PAX_NOEXEC=n and friends for a while and then slowly try one option after the other ?
And I'd start and run Code: | paxctl-ng -perms <foo> | on affected programs. Maybe you emerged them in the past and the PAX settings weren't set right ? If you update or re-emerged appropriate packages later than the correct settings should be set by portage. |
Hi Toralf,
Looking into Hardened/PaX Quickstart webpage.
Ill let you know if everything worked, and if so marked this solved.
Thanks a lot. |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Sun May 15, 2016 10:02 pm Post subject: |
|
|
mirekm wrote: | Quote: | So if i understand you correctly, I've could of combined my hardened profile settings with the plasma profile settings in one local overlay. |
Yes, exactly. The advantage of this solution is, that you don't need to take care about the flags (un)masked by the developers. Everything will work out of the box.
Quote: | Well, you could but it isn't worth it. |
It is worth. II use this solution since several years, and no problems. I don't need to think, what work with hardened profile, what don't work. It is just pragmatic, less work for me. Why should I try to pry open doors. |
Hi Mirekm,
After i solved grsec/pax, gonna look into your local overlay profile.
If i need help, i wil contact you.
Thanks |
|
Back to top |
|
|
mirekm Apprentice
Joined: 12 Feb 2004 Posts: 210 Location: Gliwice
|
Posted: Tue Jun 28, 2016 6:28 am Post subject: |
|
|
spidark wrote: |
Hi Mirekm,
After i solved grsec/pax, gonna look into your local overlay profile.
If i need help, i wil contact you.
Thanks |
You can find copy of the overlay in the file:
http://www.mieszczak.com.pl/gentoo/overlay.tar.bz2 |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Fri Jul 01, 2016 1:27 pm Post subject: |
|
|
Thanks Mirekem.
I'm going for a fresh install.
Thank you all for your help |
|
Back to top |
|
|
forrestfunk81 Guru
Joined: 07 Feb 2006 Posts: 565 Location: münchen.de
|
Posted: Sun Dec 25, 2016 11:04 pm Post subject: |
|
|
Hi spidark,
is your profile listed in eselect profile list? Or have you created the symlink manually?
I just added profiles with the same directory structure like yours in my local overlay, but it is not listed in eselct profile list. _________________ # cd /pub/
# more beer |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Thu Dec 29, 2016 5:47 am Post subject: |
|
|
forrestfunk81 wrote: | Hi spidark,
is your profile listed in eselect profile list? Or have you created the symlink manually?
I just added profiles with the same directory structure like yours in my local overlay, but it is not listed in eselct profile list. |
Hi forrestfunk81
It's been a while, i'm not running an hardened kernel at this point, there where to many issues at that time.
If i recall the profile was not listed back then.
regards. _________________ Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
Back to top |
|
|
spidark Tux's lil' helper
Joined: 01 Sep 2011 Posts: 147
|
Posted: Sat Jan 14, 2017 9:38 pm Post subject: |
|
|
I can confirm that plasma is running smoothly on my machine with grsec kernel.
So for me its solved.
I only have issues with google-chrome
Thanks to all who replied with help-full solutions.
Thanks
Code: | [I] kde-plasma/plasma-meta
Available versions: (5) 5.8.3 ~5.8.5 |
Code: | CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
CONFIG_GRKERNSEC_CONFIG_SERVER=y
# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_NONE=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6 |
Code: | # eselect profile list
Available profile symlink targets:
[1] default/linux/amd64/13.0
[2] default/linux/amd64/13.0/selinux
[3] default/linux/amd64/13.0/desktop
[4] default/linux/amd64/13.0/desktop/gnome
[5] default/linux/amd64/13.0/desktop/gnome/systemd
[6] default/linux/amd64/13.0/desktop/kde
[7] default/linux/amd64/13.0/desktop/kde/systemd
[8] default/linux/amd64/13.0/desktop/plasma
[9] default/linux/amd64/13.0/desktop/plasma/systemd
[10] default/linux/amd64/13.0/developer
[11] default/linux/amd64/13.0/no-multilib
[12] default/linux/amd64/13.0/systemd
[13] default/linux/amd64/13.0/x32
[14] hardened/linux/amd64 *
[15] hardened/linux/amd64/selinux
[16] hardened/linux/amd64/no-multilib
[17] hardened/linux/amd64/no-multilib/selinux
[18] hardened/linux/amd64/x32
[19] hardened/linux/musl/amd64
[20] hardened/linux/musl/amd64/x32
[21] default/linux/uclibc/amd64
[22] hardened/linux/uclibc/amd64
|
Code: | Available kernel symlink targets:
[1] linux-4.4.39-gentoo
[2] linux-4.7.10-hardened *
|
_________________ Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz |
|
Back to top |
|
|
|