Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
systemd transition stalled
atoth at atoth
Dec 16, 2013, 3:55 PM
Post #1 of 5 (2775 views)
Permalink
It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has
been reported as freedesktop bug #65575. Of course if there would be a
specific group under which systemd performs its proc related activities,
that could be configured as the exception GID, but I can hardly imagine
that it is the case. Gentoo systemd wiki doesn't mention this point,
otherwise important for hardened users. Systemd dev stands his ground and
puts the period: nothing can be expected until grsecurity hits mainline.
That will obviously not happen. I understand the dev having no intentions
to support out-of-mainline features. Altering proc access significantly.

Any of you have a workaround for systemd with grsec without completely
loosing proc restrictions?

I'm trying real hard to be a shepherd. But this time I feel the urge -
again - to purge the remnants of the once so shiny GNOME from my systems.

Any thoughts on this? Or rather a grsec proc config workaround?

Thx:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
Re: systemd transition stalled [ In reply to ]
sven.vermeulen at siphos
Dec 16, 2013, 11:29 PM
Post #2 of 5 (2720 views)
Permalink
On Dec 17, 2013 12:56 AM, Tóth Attila <atoth@atoth.sote.hu> wrote:
>
> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has
> been reported as freedesktop bug #65575. Of course if there would be a
> specific group under which systemd performs its proc related activities,
> that could be configured as the exception GID, but I can hardly imagine
> that it is the case.

I thought one of the principles of systemd is that it keeps running
(daemonized) and you communicate with it over sockets. Are you sure systemd
doesn't run with a fixed GID? Probably even the root GID.

Wkr,
Sven
Re: systemd transition stalled [ In reply to ]
alexander at tsoy
Dec 17, 2013, 1:23 AM
Post #3 of 5 (2713 views)
Permalink
Ð’ Tue, 17 Dec 2013 00:55:54 +0100
"Tóth Attila" <atoth@atoth.sote.hu> пишет:

> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It has
> been reported as freedesktop bug #65575. Of course if there would be a
> specific group under which systemd performs its proc related activities,
> that could be configured as the exception GID, but I can hardly imagine
> that it is the case. Gentoo systemd wiki doesn't mention this point,
> otherwise important for hardened users. Systemd dev stands his ground and
> puts the period: nothing can be expected until grsecurity hits mainline.
> That will obviously not happen. I understand the dev having no intentions
> to support out-of-mainline features. Altering proc access significantly.
>
> Any of you have a workaround for systemd with grsec without completely
> loosing proc restrictions?

The workaround is simple:

$ getent group procr
procr:x:777:polkitd,...
$ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened
CONFIG_GRKERNSEC_PROC_GID=777

This issue was discussed in the following bug report:
https://bugs.gentoo.org/show_bug.cgi?id=472098
(short summary: polkit[systemd] links with libsystemd-login.so which
need access to "/proc/1")

>
> I'm trying real hard to be a shepherd. But this time I feel the urge -
> again - to purge the remnants of the once so shiny GNOME from my systems.
>
> Any thoughts on this? Or rather a grsec proc config workaround?
>
> Thx:
> Dw.

--
Alexander Tsoy
Re: systemd transition stalled [ In reply to ]
atoth at atoth
Dec 17, 2013, 4:25 AM
Post #4 of 5 (2718 views)
Permalink
I'm not sure about how systemd behaves. If a proper GID can be configured,
it can provide a solution for the grsec PROC vs systemd issue...
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.December 17.(K) 08:29 időpontban Sven Vermeulen ezt írta:
> On Dec 17, 2013 12:56 AM, Tóth Attila <atoth@atoth.sote.hu> wrote:
>>
>> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It
>> has
>> been reported as freedesktop bug #65575. Of course if there would be a
>> specific group under which systemd performs its proc related activities,
>> that could be configured as the exception GID, but I can hardly imagine
>> that it is the case.
>
> I thought one of the principles of systemd is that it keeps running
> (daemonized) and you communicate with it over sockets. Are you sure
> systemd
> doesn't run with a fixed GID? Probably even the root GID.
>
> Wkr,
> Sven
>
Re: systemd transition stalled [ In reply to ]
atoth at atoth
Dec 17, 2013, 4:35 AM
Post #5 of 5 (2725 views)
Permalink
Dear Alexander,

Thanks for pointing to this bug!

I'll give another try to systemd.
A duplicate of bug 472098 also contains important information:
https://bugs.gentoo.org/show_bug.cgi?id=455938
According to this bug it's enough to add polkitd to the PROC_GID group.
Now I know what was my problem with gdm-3.6!
It's a pity I hadn't found this bug earlier.

Sorry for the noise. I'll retry systemd transition.

Thanks:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2013.December 17.(K) 10:23 időpontban Alexander Tsoy ezt írta:
> Ð’ Tue, 17 Dec 2013 00:55:54 +0100
> "Tóth Attila" <atoth@atoth.sote.hu> пишет:
>
>> It turns out systemd is not compatible with CONFIG_GRKERNSEC_PROC. It
>> has
>> been reported as freedesktop bug #65575. Of course if there would be a
>> specific group under which systemd performs its proc related activities,
>> that could be configured as the exception GID, but I can hardly imagine
>> that it is the case. Gentoo systemd wiki doesn't mention this point,
>> otherwise important for hardened users. Systemd dev stands his ground
>> and
>> puts the period: nothing can be expected until grsecurity hits mainline.
>> That will obviously not happen. I understand the dev having no
>> intentions
>> to support out-of-mainline features. Altering proc access significantly.
>>
>> Any of you have a workaround for systemd with grsec without completely
>> loosing proc restrictions?
>
> The workaround is simple:
>
> $ getent group procr
> procr:x:777:polkitd,...
> $ grep CONFIG_GRKERNSEC_PROC_GID /boot/config-3.11.9-hardened
> CONFIG_GRKERNSEC_PROC_GID=777
>
> This issue was discussed in the following bug report:
> https://bugs.gentoo.org/show_bug.cgi?id=472098
> (short summary: polkit[systemd] links with libsystemd-login.so which
> need access to "/proc/1")
>
>>
>> I'm trying real hard to be a shepherd. But this time I feel the urge -
>> again - to purge the remnants of the once so shiny GNOME from my
>> systems.
>>
>> Any thoughts on this? Or rather a grsec proc config workaround?
>>
>> Thx:
>> Dw.
>
> --
> Alexander Tsoy
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal