Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Plasma 5 with hardened kernel ?(SOLVED)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Desktop Environments
View previous topic :: View next topic  
Author Message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Wed May 11, 2016 2:41 pm    Post subject: Plasma 5 with hardened kernel ?(SOLVED) Reply with quote

Hello.
Does Plasma5 run on a hardened kernel ?
The Docs states
Code:
Profile

It is highly recommended to use the Plasma desktop profile as it sets a number of important options to ensure things run smoothly.

In order to choose the most suitable profile, first list what's available:


I only see these hardened profiles.
No plasma hardened profile.

Code:
 [14]  hardened/linux/amd64 *
  [15]  hardened/linux/amd64/selinux
  [16]  hardened/linux/amd64/no-multilib
  [17]  hardened/linux/amd64/no-multilib/selinux
  [18]  hardened/linux/amd64/x32
  [19]  hardened/linux/musl/amd64
  [20]  hardened/linux/musl/amd64/x32


And if it does, what are the head ups.
Thanks in advanced.


Last edited by spidark on Sat Jan 14, 2017 9:31 pm; edited 2 times in total
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Wed May 11, 2016 5:53 pm    Post subject: Reply with quote

I do run a hardened desktop with stable KDE so far. From time to time I do an
Code:
eselect profile set 8;emerge --deep --update --newuse --changed-use --with-bdeps=y @world --pretend; eselect profile set 14
to look which USE flags I should have in my make.conf to be somehow compatible with the plasma profile (formerly I did the same with the kde profile). FWIW with "hardened" I do mean Grsecurity w/ CONFIG_GRKERNSEC_CONFIG_AUTO=y and CONFIG_GRKERNSEC_CONFIG_DESKTOP=y.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Wed May 11, 2016 6:10 pm    Post subject: Reply with quote

toralf wrote:
I do run a hardened desktop with stable KDE so far. From time to time I do an
Code:
eselect profile set 8;emerge --deep --update --newuse --changed-use --with-bdeps=y @world --pretend; eselect profile set 14
to look which USE flags I should have in my make.conf to be somehow compatible with the plasma profile (formerly I did the same with the kde profile). FWIW with "hardened" I do mean Grsecurity w/ CONFIG_GRKERNSEC_CONFIG_AUTO=y and CONFIG_GRKERNSEC_CONFIG_DESKTOP=y.


Good one toralf.
I have the same settings so i't should work.
Thanks. :D
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sat May 14, 2016 5:38 pm    Post subject: Reply with quote

toralf wrote:
I do run a hardened desktop with stable KDE so far. From time to time I do an
Code:
eselect profile set 8;emerge --deep --update --newuse --changed-use --with-bdeps=y @world --pretend; eselect profile set 14
to look which USE flags I should have in my make.conf to be somehow compatible with the plasma profile (formerly I did the same with the kde profile). FWIW with "hardened" I do mean Grsecurity w/ CONFIG_GRKERNSEC_CONFIG_AUTO=y and CONFIG_GRKERNSEC_CONFIG_DESKTOP=y.


Hello Toralf.

I'm so close i can feel it,
but things keeps segfaulting all over the place.
The sddm black screen issue resolved by disable-ling mprotect with paxctl.
Code:
paxctl-ng -m /usr/bin/sddm


But after logging in (sddm) , things hangs at the kde screen.
This does not happen with gentoo-sources kernel, things runs ok.

Played with different settings (paxctl) , this does not fix things.
Tried the paxctl -z on the files that are segfaulting and giving errors.
/usr/bin/kdeinit5
/usr/bin/ksmserver
/usr/bin/baloo_file
/usr/bin/kactivitymanagerd
/usr/bin/krunner

These are some of the erros im recieving
Code:
May 14 17:42:50 [kernel] [  890.945157] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/baloo_file[baloo_file:5172] uid/euid:1000/1000 gid/egid:100
0/1000, parent /usr/bin/kdeinit5[kdeinit5:5083] uid/euid:1000/1000 gid/egid:1000/1000


Code:
May 14 17:47:54 [kernel] [ 1195.331645] PAX: /usr/lib64/liborc-0.4.so.0.23.0 wants MPROTECT disabled on /usr/bin/kdeinit5


Code:
May 14 10:05:26 [kernel] [ 3168.974484] kactivitymanage[3502]: segfault at 7fd7d37a9c90 ip 00007fd7ba65a347 sp 00007ffcb02a39a0 error 4 in libQt5Sql.so.5.5.1[7fd7ba645000+47000]


Things are running smooth with the linux-4.4.8-hardened-r1 but i disabled CONFIG_PAX_MPROTECT

Any ideas ?
Thanks in advanced.
Back to top
View user's profile Send private message
mirekm
Apprentice
Apprentice


Joined: 12 Feb 2004
Posts: 182
Location: Gliwice

PostPosted: Sat May 14, 2016 8:31 pm    Post subject: Reply with quote

You can create your own profile for that.
You have to create local overlay, and after that:
create directory:
<overlay>/profile/default/hardened/kde/

in that directory create file "parent"
with following contents:

/usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
/usr/portage/profiles/hardened/linux/amd64

Or if you ant to use plasma, or other profiles, you can adjust your configuration.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sun May 15, 2016 4:57 am    Post subject: Reply with quote

mirekm wrote:
You can create your own profile for that.
You have to create local overlay, and after that:
create directory:
<overlay>/profile/default/hardened/kde/

in that directory create file "parent"
with following contents:

/usr/portage/profiles/default/linux/amd64/13.0/desktop/kde
/usr/portage/profiles/hardened/linux/amd64

Or if you ant to use plasma, or other profiles, you can adjust your configuration.

Hi Mirekm,
So if i understand you correctly, I've could of combined my hardened profile settings with the plasma profile settings in one local overlay.
Back to top
View user's profile Send private message
The Doctor
Moderator
Moderator


Joined: 27 Jul 2010
Posts: 2546

PostPosted: Sun May 15, 2016 5:53 am    Post subject: Reply with quote

Well, you could but it isn't worth it.

USE="" is your custom profile. Basically, all the profile does is set use flags. There is no reason you couldn't run the plasma profile with the hardened use flag or the hardened profile with whatever plasma use flags that pulls in.

If I recall correctly, "hardened" is the only special use flag in the hardened profile
_________________
First things first, but not necessarily in that order.

Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sun May 15, 2016 6:24 am    Post subject: Reply with quote

The Doctor wrote:
Well, you could but it isn't worth it.

USE="" is your custom profile. Basically, all the profile does is set use flags. There is no reason you couldn't run the plasma profile with the hardened use flag or the hardened profile with whatever plasma use flags that pulls in.

If I recall correctly, "hardened" is the only special use flag in the hardened profile

Hi The Docter,
The tip Toralf gave worked for me, plasma compiled fine, with some use flags adjustments in make.conf of course.
I did not want to fiddle with the profile, because i'm no expert in this field.
The issue i'm having is with grsecurity.
MPROTECT is preventing some plasma needed application from running.
If i start my system with the gentoo-sources kernel, plasma runs fine.
So it has something to do with my MPROTECT setting.
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 6824
Location: Austria

PostPosted: Sun May 15, 2016 7:54 am    Post subject: Reply with quote

The Doctor wrote:
USE="" is your custom profile. Basically, all the profile does is set use flags.

Plasma profile sets global use flags (e.g. kde qt4 qt5) but then to remove conflicts with certain packages, it switches off qt4 (same for the kde flag) on select packages inside package.use, and switches on minimal for a lot of packages to be able to actually install KDE Applications. So it can be worth symlinking these into your own profile.
_________________
backend.cpp:92:2: warning: #warning TODO - this error message is about as useful as a cooling unit in the arctic
Back to top
View user's profile Send private message
toralf
Developer
Developer


Joined: 01 Feb 2004
Posts: 3647
Location: Hamburg

PostPosted: Sun May 15, 2016 8:37 am    Post subject: Reply with quote

Few more ideas :
I do have
Code:
$ grep -i pax /etc/portage/make.conf
PAX_MARKINGS="XT"
, my hardened kernel config is https://bpaste.net/show/aa2aa9ed6138 - and you might have a look at
Code:
migrate-pax -m
revdep-pax
IMO he IRC channel #gentoo-hardened is a good place. FWIW the hardened profile has not only "hardened", it has the USE flags "pax_kernel xtpax" too. I'd start with a weaker hardened kernel, so maybe unset CONFIG_PAX_NOEXEC=n and friends for a while and then slowly try one option after the other ?
And I'd start and run
Code:
paxctl-ng -perms <foo>
on affected programs. Maybe you emerged them in the past and the PAX settings weren't set right ? If you update or re-emerged appropriate packages later than the correct settings should be set by portage.

Last edited by toralf on Sun May 15, 2016 5:09 pm; edited 1 time in total
Back to top
View user's profile Send private message
mirekm
Apprentice
Apprentice


Joined: 12 Feb 2004
Posts: 182
Location: Gliwice

PostPosted: Sun May 15, 2016 4:29 pm    Post subject: Reply with quote

Quote:
So if i understand you correctly, I've could of combined my hardened profile settings with the plasma profile settings in one local overlay.


Yes, exactly. The advantage of this solution is, that you don't need to take care about the flags (un)masked by the developers. Everything will work out of the box.


Quote:
Well, you could but it isn't worth it.

It is worth. II use this solution since several years, and no problems. I don't need to think, what work with hardened profile, what don't work. It is just pragmatic, less work for me. Why should I try to pry open doors.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sun May 15, 2016 9:59 pm    Post subject: Reply with quote

toralf wrote:
Few more ideas :
I do have
Code:
$ grep -i pax /etc/portage/make.conf
PAX_MARKINGS="XT"
, my hardened kernel config is https://bpaste.net/show/aa2aa9ed6138 - and you might have a look at
Code:
migrate-pax -m
revdep-pax
IMO he IRC channel #gentoo-hardened is a good place. FWIW the hardened profile has not only "hardened", it has the USE flags "pax_kernel xtpax" too. I'd start with a weaker hardened kernel, so maybe unset CONFIG_PAX_NOEXEC=n and friends for a while and then slowly try one option after the other ?
And I'd start and run
Code:
paxctl-ng -perms <foo>
on affected programs. Maybe you emerged them in the past and the PAX settings weren't set right ? If you update or re-emerged appropriate packages later than the correct settings should be set by portage.

Hi Toralf,
Looking into Hardened/PaX Quickstart webpage.
Ill let you know if everything worked, and if so marked this solved.
Thanks a lot.
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sun May 15, 2016 10:02 pm    Post subject: Reply with quote

mirekm wrote:
Quote:
So if i understand you correctly, I've could of combined my hardened profile settings with the plasma profile settings in one local overlay.


Yes, exactly. The advantage of this solution is, that you don't need to take care about the flags (un)masked by the developers. Everything will work out of the box.


Quote:
Well, you could but it isn't worth it.

It is worth. II use this solution since several years, and no problems. I don't need to think, what work with hardened profile, what don't work. It is just pragmatic, less work for me. Why should I try to pry open doors.

Hi Mirekm,
After i solved grsec/pax, gonna look into your local overlay profile.
If i need help, i wil contact you.
Thanks
Back to top
View user's profile Send private message
mirekm
Apprentice
Apprentice


Joined: 12 Feb 2004
Posts: 182
Location: Gliwice

PostPosted: Tue Jun 28, 2016 6:28 am    Post subject: Reply with quote

spidark wrote:

Hi Mirekm,
After i solved grsec/pax, gonna look into your local overlay profile.
If i need help, i wil contact you.
Thanks



You can find copy of the overlay in the file:

http://www.mieszczak.com.pl/gentoo/overlay.tar.bz2
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Fri Jul 01, 2016 1:27 pm    Post subject: Reply with quote

mirekm wrote:
spidark wrote:

Hi Mirekm,
After i solved grsec/pax, gonna look into your local overlay profile.
If i need help, i wil contact you.
Thanks



You can find copy of the overlay in the file:

http://www.mieszczak.com.pl/gentoo/overlay.tar.bz2


Thanks Mirekem.
I'm going for a fresh install.
Thank you all for your help
Back to top
View user's profile Send private message
forrestfunk81
Guru
Guru


Joined: 07 Feb 2006
Posts: 479
Location: münchen.de

PostPosted: Sun Dec 25, 2016 11:04 pm    Post subject: Reply with quote

Hi spidark,

is your profile listed in eselect profile list? Or have you created the symlink manually?

I just added profiles with the same directory structure like yours in my local overlay, but it is not listed in eselct profile list.
_________________
# cd /pub/
# more beer
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Thu Dec 29, 2016 5:47 am    Post subject: Reply with quote

forrestfunk81 wrote:
Hi spidark,

is your profile listed in eselect profile list? Or have you created the symlink manually?

I just added profiles with the same directory structure like yours in my local overlay, but it is not listed in eselct profile list.

Hi forrestfunk81
It's been a while, i'm not running an hardened kernel at this point, there where to many issues at that time.
If i recall the profile was not listed back then.
regards.
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sat Jan 14, 2017 9:38 pm    Post subject: Reply with quote

I can confirm that plasma is running smoothly on my machine with grsec kernel.
So for me its solved.
I only have issues with google-chrome
Thanks to all who replied with help-full solutions.
Thanks 8)

Code:
[I] kde-plasma/plasma-meta
     Available versions:  (5) 5.8.3 ~5.8.5


Code:
CONFIG_GRKERNSEC=y
CONFIG_GRKERNSEC_CONFIG_AUTO=y
# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set
CONFIG_GRKERNSEC_CONFIG_SERVER=y
# CONFIG_GRKERNSEC_CONFIG_DESKTOP is not set
CONFIG_GRKERNSEC_CONFIG_VIRT_NONE=y
# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set
# CONFIG_GRKERNSEC_CONFIG_VIRT_HOST is not set
# CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF is not set
CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY=y
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_SYMLINKOWN_GID=100
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
CONFIG_GRKERNSEC_RAND_THREADSTACK=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODHARDEN=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y
CONFIG_GRKERNSEC_KERN_LOCKOUT=y
# CONFIG_GRKERNSEC_NO_RBAC is not set
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
# CONFIG_GRKERNSEC_SYMLINKOWN is not set
CONFIG_GRKERNSEC_FIFO=y
# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set
# CONFIG_GRKERNSEC_ROFS is not set
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6


Code:
# eselect profile list
Available profile symlink targets:
  [1]   default/linux/amd64/13.0
  [2]   default/linux/amd64/13.0/selinux
  [3]   default/linux/amd64/13.0/desktop
  [4]   default/linux/amd64/13.0/desktop/gnome
  [5]   default/linux/amd64/13.0/desktop/gnome/systemd
  [6]   default/linux/amd64/13.0/desktop/kde
  [7]   default/linux/amd64/13.0/desktop/kde/systemd
  [8]   default/linux/amd64/13.0/desktop/plasma
  [9]   default/linux/amd64/13.0/desktop/plasma/systemd
  [10]  default/linux/amd64/13.0/developer
  [11]  default/linux/amd64/13.0/no-multilib
  [12]  default/linux/amd64/13.0/systemd
  [13]  default/linux/amd64/13.0/x32
  [14]  hardened/linux/amd64 *
  [15]  hardened/linux/amd64/selinux
  [16]  hardened/linux/amd64/no-multilib
  [17]  hardened/linux/amd64/no-multilib/selinux
  [18]  hardened/linux/amd64/x32
  [19]  hardened/linux/musl/amd64
  [20]  hardened/linux/musl/amd64/x32
  [21]  default/linux/uclibc/amd64
  [22]  hardened/linux/uclibc/amd64


Code:
Available kernel symlink targets:
  [1]   linux-4.4.39-gentoo
  [2]   linux-4.7.10-hardened *

_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Desktop Environments All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum