LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-27-2014, 12:02 PM   #1
ls_milkyway
LQ Newbie
 
Registered: Aug 2013
Distribution: BT5R2
Posts: 28

Rep: Reputation: Disabled
iceweasel/firefox not opening in gre/pax 3.2.55 patched kernel


Dear Sir/Madam,

I have successfully applied gre/pax patch 3.2.55 to 3.2.55 Kernel , then compiled it and then installed the patched kernel on Debian wheezy 7.4.0.

When i boot to this new kernel then everything works normally, except ice-weasel or Firefox is not opening

but when i boot to incorporated kernel 3.2.0-4-686-pae both ice-weasel and Firefox execute normally.

I have selected:

1) DEFAULT GRE/PAX SECURITY (NOT PERFORMANCE) settings for desktop.

2) REMOVED IPV6 from kernel

and 3) REMOVED most of the EXPERIMENTAL ENTRIES FROM THE KERNEL (WHICH WERE SAFE WITH PROPER DEPENDENCIES)

PLEASE CAN anybody guess what went wrong??!!

Thanks in advance.
 
Old 04-27-2014, 02:56 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Quote:
Originally Posted by ls_milkyway View Post
PLEASE CAN anybody guess what went wrong??!!
No, I can't guess that. Maybe some of the clairvoyant form members can ;-p
- You should list which kernel features, experimental or not, Grsecurity / PAX relies on, if any.
- You're using two different kernel versions which makes things less easy to compare,
- you're not posting the actual profile for Firefox / Iceweasel,
- you haven't told us if the profile for Firefox / Iceweasel was obtained from running Grsecurity learning mode or not,
- you're not posting any logged errors or strace output of running Firefox / Iceweasel (may require debug mode of sorts).

*BTW you probably didn't mean to say "GRE" but "Grsecurity", right?
**Note its ages since I ran Grsecurity so anyone with more recent practical experience feel free to chip in.
 
Old 04-27-2014, 05:28 PM   #3
ls_milkyway
LQ Newbie
 
Registered: Aug 2013
Distribution: BT5R2
Posts: 28

Original Poster
Rep: Reputation: Disabled
1) There was no Experimental entries in Grsecurity/Pax , I simply selected default>desktop>security
(most of the experimental entries were in drivers section) had no dependencies with Grsecurity/Pax.

2) how do i log errors or strace output of running Firefox / Iceweasel
(that may require debug mode of sorts).

3) i think profiles are needed in selinux or apparmor but grsecurity/pax profiles?? How do i implement them (if any)

4) I have downloaded firefox.tar.bz2 and unzipped to run it (in both root and default user) but its not responding there is no error message or response from even when executed from terminal.
 
Old 04-28-2014, 02:16 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Most of these are questions fundamental to using PaX / Grsecurity so you should IMHO start with http://en.wikibooks.org/wiki/Grsecurity .
 
Old 04-28-2014, 02:45 PM   #5
ls_milkyway
LQ Newbie
 
Registered: Aug 2013
Distribution: BT5R2
Posts: 28

Original Poster
Rep: Reputation: Disabled
I searched online & found it may be related to mprotect.

Here are grsecurity & pax settings of the compiled kernel.

Memory Protections --->
[*] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port

[ ] Restrict VM86 mode [ ] Disable privileged I/O[*] Disable unprivileged PERF_EVENTS usage by default [*] Insert random gaps between thread stacks [*] Harden ASLR against information leaks and entropy reduction
[*] Deter exploit bruteforcing[*] Harden module auto-loading[*] Hide kernel symbols[*] Randomize layout of sensitive kernel structures
[ ] Use cacheline-aware structure randomization [*] Active kernel exploit response


Role Based Access Control Options --->


[ ] Disable RBAC system [ ] Hide kernel processes (3) Maximum tries before password lockout
(30) Time to wait after max password tries, in seconds
Filesystem Protections --->
[*] Proc restrictions [ ] Restrict /proc to user only[*] Allow special group
(1001) GID for special group [*] Additional restrictions [*] Linking restrictions [ ] Kernel-enforced SymlinksIfOwnerMatch [*] FIFO restrictions [ ] Sysfs/debugfs restriction [ ] Runtime read-only mount protection [*] Eliminate stat/notify-based device sidechannels [*] Chroot jail restrictions[*] Deny mounts[*] Deny double-chroots[*] Deny pivot_root in chroot[*] Enforce chdir("/") on all chroots
[*] Deny (f)chmod +s[*] Deny fchdir out of chroot[*] Deny mknod[*] Deny shmat() out of chroot
[*] Deny access to abstract AF_UNIX sockets out of chroot [*] Protect outside processes[*] Restrict priority changes[*] Deny sysctl writes[*] Capability restrictions[*] Exempt initrd tasks from restrictions


Kernel Auditing --->



[ ] Single group for auditing

Single group for auditing [ ] Exec logging[*] Resource logging [ ] Log execs within chroot [ ] Ptrace logging [ ] Chdir logging [ ] (Un)Mount logging[*] Signal logging [ ] Fork failure logging[*] Time change logging[*] /proc/<pid>/ipaddr support[*] Denied RWX mmap/mprotect logging


Executable Protections --->
[*] Dmesg(8) restriction[*] Deter ptrace-based process snooping [*] Require read access to ptrace sensitive binaries [*] Enforce consistent multithreaded privileges [*] Disallow access to overly-permissive IPC objects
[ ] Trusted Path Execution (TPE)


Network Protections --->

[*] Larger entropy pools[*] TCP/UDP blackhole and LAST_ACK DoS prevention [*] Disable TCP Simultaneous Connect
[ ] Socket restrictions
Physical Protections --->

[*] Deny new USB connections after toggle
[ ] Reject all USB devices not connected at boot
Sysctl Support --->

[*] Sysctl support[*] Turn on features by default
Logging Options --->

(10) Seconds in between log messages (minimum)
(6) Number of messages in a burst (maximum)
PaX --->


PaX Control --->


[ ] Support soft mode [*] Use legacy ELF header marking [*] Use ELF program header marking [*] Use filesystem extended attributes marking
MAC system integration (direct) --->

Non-executable pages --->
[*] Enforce non-executable pages [*] Paging based non-executable pages [*] Segmentation based non-executable pages [*] Emulate trampolines[*] Restrict mprotect()[*] Use legacy/compat protection demoting (read help)

[ ] Allow ELF text relocations (read help) [*] Enforce non-executable kernel pages

(12) Minimum amount of memory reserved for module code


Address Space Layout Randomization --->

[*] Address Space Layout Randomization [*] Randomize kernel stack base [*] Randomize user stack base[*] Randomize mmap() base
Miscellaneous hardening features --->

[*] Sanitize all freed memory[*] Sanitize kernel stack[*] Forcibly initialize local variables copied to userland
[*] Prevent invalid userland pointer dereference [*] Prevent various kernel object reference counter overflows
[*] Harden heap object copies between kernel and userland [*] Automatically constify eligible structures [*] Prevent various integer overflows in function size parameters
[*] Generate some entropy during boot and runtime Can anyone PLEASE deduce the problem related to above settings (if any) or I need to read the full guide??
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
System dumps to loginscreen when opening iceweasel after power outage Rogshoggy Linux - Software 3 05-15-2013 03:32 AM
[SOLVED] Iceweasel: when opening files want to see in alphabetical order JosephS Linux - Software 4 01-19-2012 12:38 AM
The open with dialog in iceweasel is not opening iceweasel! ck_at_work Linux - General 6 11-09-2010 02:49 AM
Kmail opening Iceweasel in foreground - Lenny Zelator Debian 3 12-12-2008 11:28 PM
Somebody to know where I can found patched traceroute for GRE? DataMan Linux - General 1 07-06-2004 01:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration