* [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
@ 2011-12-09 13:17 Kevin Chadwick
2011-12-09 13:41 ` "Tóth Attila"
2011-12-12 0:05 ` Alex Efros
0 siblings, 2 replies; 8+ messages in thread
From: Kevin Chadwick @ 2011-12-09 13:17 UTC (permalink / raw
To: gentoo-hardened
Has anyone tried Opera 11.60 with a grsecurity patched kernel.
11.52 worked fine but 11.60 is segfaulting with "denied ptrace
of /usr/lib/opera/opera"
The flash plugin seems to load on startup rather than on demand
requiring a pluginpath.ini, if you have say a sandboxed flash enabled
firefox browser.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-09 13:17 [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace) Kevin Chadwick
@ 2011-12-09 13:41 ` "Tóth Attila"
2011-12-09 20:26 ` Anthony G. Basile
2011-12-12 0:05 ` Alex Efros
1 sibling, 1 reply; 8+ messages in thread
From: "Tóth Attila" @ 2011-12-09 13:41 UTC (permalink / raw
To: gentoo-hardened
Cannot start Firefox as well. Libreoffice either.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2011.December 9.(P) 14:17 időpontban Kevin Chadwick ezt írta:
> Has anyone tried Opera 11.60 with a grsecurity patched kernel.
>
> 11.52 worked fine but 11.60 is segfaulting with "denied ptrace
> of /usr/lib/opera/opera"
>
> The flash plugin seems to load on startup rather than on demand
> requiring a pluginpath.ini, if you have say a sandboxed flash enabled
> firefox browser.
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-09 13:41 ` "Tóth Attila"
@ 2011-12-09 20:26 ` Anthony G. Basile
0 siblings, 0 replies; 8+ messages in thread
From: Anthony G. Basile @ 2011-12-09 20:26 UTC (permalink / raw
To: gentoo-hardened
On 12/09/2011 08:41 AM, "Tóth Attila" wrote:
> Cannot start Firefox as well. Libreoffice either.
> -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD,
> Radiologist, +36-20-825-8057 2011.December 9.(P) 14:17 időpontban Kevin
> Chadwick ezt írta:
>> > Has anyone tried Opera 11.60 with a grsecurity patched kernel.
>> >
>> > 11.52 worked fine but 11.60 is segfaulting with "denied ptrace
>> > of /usr/lib/opera/opera"
>> >
>> > The flash plugin seems to load on startup rather than on demand
>> > requiring a pluginpath.ini, if you have say a sandboxed flash enabled
>> > firefox browser.
>> >
>
We need bug reports on these because I am not experiencing any problems
with the latest hardened-kernels and firefox/libreoffice. I haven't
tried opera but will now. The reason for bug report is that it may take
a while to narrow it down as we back and forth.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-09 13:17 [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace) Kevin Chadwick
2011-12-09 13:41 ` "Tóth Attila"
@ 2011-12-12 0:05 ` Alex Efros
2011-12-12 18:54 ` Kevin Chadwick
1 sibling, 1 reply; 8+ messages in thread
From: Alex Efros @ 2011-12-12 0:05 UTC (permalink / raw
To: gentoo-hardened
Hi!
I've just updated to opera-11.60.1185 and firefox-bin-8.0.
Opera work just fine, but firefox fail to start (hangs using 100% CPU)
because paxmarking -m isn't enough. To fix firefox paxmarking -r needed too:
paxctl -r /opt/firefox/firefox
I'm using only GrSec+PaX, so there are may be also SELinux/RBAC related issues.
--
WBR, Alex.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-12 0:05 ` Alex Efros
@ 2011-12-12 18:54 ` Kevin Chadwick
2011-12-12 19:52 ` Kevin Chadwick
2011-12-12 20:49 ` Alex Efros
0 siblings, 2 replies; 8+ messages in thread
From: Kevin Chadwick @ 2011-12-12 18:54 UTC (permalink / raw
To: gentoo-hardened
On Mon, 12 Dec 2011 02:05:04 +0200
Alex Efros <powerman@powerman.name> wrote:
> Hi!
>
> I've just updated to opera-11.60.1185 and firefox-bin-8.0.
> Opera work just fine,
Interesting and thanks, I have the same build but as I should have
stated earlier just a GrSec+Pax kernel on arch linux and 11.52 works
fine but 11.60 fails with ptrace denied by grsec. Do you have the
following line set to y in your kernel config?
"CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
> but firefox fail to start (hangs using 100% CPU)
> because paxmarking -m isn't enough. To fix firefox paxmarking -r needed too:
> paxctl -r /opt/firefox/firefox
>
> I'm using only GrSec+PaX, so there are may be also SELinux/RBAC related issues.
Yeah it's been like that for a while. I think gentoo-hardened
automatically sets those pax flags. See this link.
"http://hardenedgentoo.blogspot.com/2011/06/firefox-5-with-mprotect-onof-course.html"
--
Kc
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-12 18:54 ` Kevin Chadwick
@ 2011-12-12 19:52 ` Kevin Chadwick
2011-12-13 12:50 ` Kevin Chadwick
2011-12-12 20:49 ` Alex Efros
1 sibling, 1 reply; 8+ messages in thread
From: Kevin Chadwick @ 2011-12-12 19:52 UTC (permalink / raw
To: gentoo-hardened
On Mon, 12 Dec 2011 18:54:17 +0000
Kevin Chadwick wrote:
> Do you have the
> following line set to y in your kernel config?
>
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
No need to check that it was just the debugger trying to attach.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-12 18:54 ` Kevin Chadwick
2011-12-12 19:52 ` Kevin Chadwick
@ 2011-12-12 20:49 ` Alex Efros
1 sibling, 0 replies; 8+ messages in thread
From: Alex Efros @ 2011-12-12 20:49 UTC (permalink / raw
To: gentoo-hardened
Hi!
On Mon, Dec 12, 2011 at 06:54:17PM +0000, Kevin Chadwick wrote:
> "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
No, I don't have this one.
> Yeah it's been like that for a while. I think gentoo-hardened
> automatically sets those pax flags. See this link.
Firefox's ebuild set only -m flag, which isn't enough.
--
WBR, Alex.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace).
2011-12-12 19:52 ` Kevin Chadwick
@ 2011-12-13 12:50 ` Kevin Chadwick
0 siblings, 0 replies; 8+ messages in thread
From: Kevin Chadwick @ 2011-12-13 12:50 UTC (permalink / raw
To: gentoo-hardened
On Mon, 12 Dec 2011 19:52:36 +0000
Kevin Chadwick wrote:
> >
> > "CONFIG_GRKERNSEC_HARDEN_PTRACE=y"
>
> No need to check that it was just the debugger trying to attach.
"http://my.opera.com/ruario/blog/2011/12/09/crash-on-startup-color-inversion-11-60"
A bug in Opera from adding gpu acceleration was the problem, I have X
running as a normal user with just the cap_dac_read_search capability
and my framebuffer line for my test laptop was slightly wrong and I
guess defaulting to 16bit.
Sorry for any time wasted.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2011-12-13 12:51 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-12-09 13:17 [gentoo-hardened] The last browser (opera) to work with grsec by default may be succombing (ptrace) Kevin Chadwick
2011-12-09 13:41 ` "Tóth Attila"
2011-12-09 20:26 ` Anthony G. Basile
2011-12-12 0:05 ` Alex Efros
2011-12-12 18:54 ` Kevin Chadwick
2011-12-12 19:52 ` Kevin Chadwick
2011-12-13 12:50 ` Kevin Chadwick
2011-12-12 20:49 ` Alex Efros
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox