Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Having issues with google-chrome/hardened-srcs
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sun Jul 26, 2015 7:35 pm    Post subject: [Solved] Having issues with google-chrome/hardened-srcs Reply with quote

Hi,
Im sure there are some security experts here, that could point me or help me understand whats going on with the google-chrome binary package.
First let me try to explain my setup.
Its a Lenovo t410 Laptop with two users ,one for daily use and the other is a guest account that's not into wheel group.
Guest account is used to play music ... browse pictures ,etc.
Work account is for daily use and to update gentoo.

Now i'm no expert and gave Gentoo Hardened a try for educational purposes.

I have almost everything selected but....
Code:


CONFIG_GRKERNSEC_SYSFS_RESTRICT ( which breaks xfce4-sensors as normal user )

I know its a laptop, but it's setup as below.

Code:
Grsecurity                                                                                       
                            Configuration Method (Automatic)  --->                                                         
                            Usage Type (Server)  --->                                                                     
                            Virtualization Type (None)  --->                                                               
                            Required Priorities (Security)  --->                                                           
                            Default Special Groups  --->                                                                   
                            Customize Configuration  --->

 


I also have
Code:
CONFIG_GRKERNSEC_SYMLINKOWN and CONFIG_GRKERNSEC_SYMLINKOWN_GID
setup
Why ?
paranoid i guess.

The only issues i have with this setup is google-chrome
Yup im lazy to compile Chromium, and use the binary version of google-chrome.

The main users id is
Code:
 uid=1000(mainuser) gid=1000(mainuser) groups=1000(mainuser),10(wheel),18(audio),100(users),104(plugdev)


The Guest users if of course
Code:
uid=1001(guest) gid=1001(guest) groups=1001(guest),18(audio),100(users)


I just want to be sure that google-chrome is safe.

Google chrome still launches but gives these log erros.

Code:
kernel] [   24.561571] grsec: denied following symlink /proc/2838/exe since symlink owner 1001 does not match target owner 0,
 by /opt/google/chrome/nacl_helper[nacl_helper:2838] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome-sandbox[chrome-sa
ndbox:2837] uid/euid:1001/1001 gid/egid:1001/1001
 [kernel] [   24.561602] traps: nacl_helper[2838] general protection ip:2af9f438318 sp:3ad3950e4f0 error:0 in libc-2.20.so[2af9
f400000+1a1000]
 [kernel] [   24.561619] grsec: Segmentation fault occurred at            (nil) in /opt/google/chrome/nacl_helper[nacl_helper:2
838] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome-sandbox[chrome-sandbox:2837] uid/euid:1001/1001 gid/egid:1001/100
1
 [kernel] [   24.997246] grsec: denied following symlink /proc/2857/exe since symlink owner 1001 does not match target owner 0,
 by /opt/google/chrome/chrome[Chrome_ProcessL:2857] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome[Chrome_ProcessL:28
52] uid/euid:1001/1001 gid/egid:1001/1001


Thanks in advanced, and sorry if this is duplicate question of not understood question.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Fri Feb 03, 2017 8:37 pm    Post subject: Reply with quote

Solved!


I have /opt on a separate Partition and mounted with nosuid
Code:

/opt             ext4        noatime,nodev,discard                     0  2
removed nosuid

with suid i got
Code:
[kernel] [   24.561602] traps: nacl_helper[2838] general protection ip:2af9f438318 sp:3ad3950e4f0 error:0 in libc-2.20.so[2af9
f400000+1a1000]
 [kernel] [   24.561619] grsec: Segmentation fault occurred at            (nil) in /opt/google/chrome/nacl_helper[nacl_helper:2
838] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome-sandbox[chrome-sandbox:2837] uid/euid:1001/1001 gid/egid:1001/100

And crashed all the time, did not pay close attention to the error message.
And running chrome from the command line gave more clues.
Funny chrome runs just fine on a non grsec patched kernel :? with /opt mounted with nosuid :?
Anyway for those interested its working.
It runs fine on grsec patched kernel with these PAX flags.
Code:
- PaX flags: P-S--m-x-eR- [chrome]
   PAGEEXEC is enabled
   SEGMEXEC is enabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is enabled
- PaX flags: P-S--m-x-eR- [nacl_helper]
   PAGEEXEC is enabled
   SEGMEXEC is enabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is enabled
- PaX flags: P-S--m-x-eR- [chrome-sandbox]
   PAGEEXEC is enabled
   SEGMEXEC is enabled
   MPROTECT is disabled
   RANDEXEC is disabled
   EMUTRAMP is disabled
   RANDMMAP is enabled


Cheers.
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum