Bug#849864: Bug#883170: Bug#849864: paxrat: Please run paxrat during (early) boot

2017-12-13 Thread Santiago R.R. 
El 13/12/17 a las 06:43, intrigeri escribió:
> Santiago R.R.:
> > On Mon, 16 Jan 2017 17:50:15 +0100 intrigeri  wrote:
> >> santiag...@riseup.net:
> >> > I am not expert on writing systemd units, and I am unable to play with
> >> > this soon. So it would be great if you could propose a patch :-)
> >> 
> >> Sure. I might do it once I start using paxrat on systems without
> >> live-config (but paxrat is less needed on those systems, so perhaps
> >> I'll go with one of the other options instead).
> 
> > Something like the attached would do the trick?
> 
> Sorry, my interest in paxrat went down to zero since the grsec
> patchset is not available as freely as it used to.

I understand. Mine was (somehow) renewed after corsac recently uploaded
the minipli's grsec. We'll see how this evolves.

Cheers,

 -- Santiago

Bug#849864: Bug#883170: Bug#849864: paxrat: Please run paxrat during (early) boot

2017-12-12 Thread intrigeri 
Santiago R.R.:
> On Mon, 16 Jan 2017 17:50:15 +0100 intrigeri  wrote:
>> santiag...@riseup.net:
>> > I am not expert on writing systemd units, and I am unable to play with
>> > this soon. So it would be great if you could propose a patch :-)
>> 
>> Sure. I might do it once I start using paxrat on systems without
>> live-config (but paxrat is less needed on those systems, so perhaps
>> I'll go with one of the other options instead).

> Something like the attached would do the trick?

Sorry, my interest in paxrat went down to zero since the grsec
patchset is not available as freely as it used to.

Cheers,
-- 
intrigeri

Bug#849864: paxrat: Please run paxrat during (early) boot

2017-12-12 Thread Santiago R.R. 
On Mon, 16 Jan 2017 17:50:15 +0100 intrigeri  wrote:
> santiag...@riseup.net:
> > I am not expert on writing systemd units, and I am unable to play with
> > this soon. So it would be great if you could propose a patch :-)
> 
> Sure. I might do it once I start using paxrat on systems without
> live-config (but paxrat is less needed on those systems, so perhaps
> I'll go with one of the other options instead).

Hi,

Something like the attached would do the trick? It should run paxrat in
watcher mode at early boot.

It works on my machine. Although, paxrat seems to run twice:
…
 paxrat[570]: 2017/12/12 13:56:13 Setting 'E' PaX flags via xattr on 
/usr/sbin/grub-bios-setup
 paxrat[570]: 2017/12/12 13:56:13 Starting paxrat watcher
 paxrat[570]: 2017/12/12 13:56:13 Setting 'E' PaX flags via xattr on 
/usr/sbin/grub-bios-setup
 paxrat[570]: 2017/12/12 13:56:13 Starting paxrat watcher
…

I wonder if this also be useful to solve #883170. paxrat in watcher mode
should set the flags once /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java
has been installed. Emmanuel, could you give it a try?


Cheers,

 -- Santiago
[Unit]
Description=Paxrat watcher mode
After=local-fs.target
DefaultDependencies=no
AssertPathExists=/sbin/paxrat
Documentation=man:paxrat(8)

[Service]
Type=simple
ExecStart=/sbin/paxrat -w
RemainAfterExit=yes

[Install]
WantedBy=sysinit.target

Bug#849864: paxrat: Please run paxrat during (early) boot

2017-01-16 Thread intrigeri 
santiag...@riseup.net:
> I am not expert on writing systemd units, and I am unable to play with
> this soon. So it would be great if you could propose a patch :-)

Sure. I might do it once I start using paxrat on systems without
live-config (but paxrat is less needed on those systems, so perhaps
I'll go with one of the other options instead).

> Maybe paxrat should also take this into account for systems relying on
> sysvinit.

Well, dropping support for sysvinit is generally no good (that's
rightfully frowned upon at least for Jessie and Stretch), but it doesn't
mean that we have to invest time into *adding new features* to sysvinit
systems for Buster. sysvinit users can anyway contribute patches :)
Also, in passing, the fact PaX is Linux-only removes one of the main
motivations in favour of supporting sysvinit.

Cheers!

Bug#849864: paxrat: Please run paxrat during (early) boot

2017-01-16 Thread santiagorr 
Hi!

El 01/01/17 a las 18:48, intrig...@debian.org escribió:
…
> 
> It's great that there's APT integration to take care of the package
> installation and upgrade issue, but how about the first time one
> reboots into their PaX-enabled kernel? Likely they won't have run
> paxrat manually yet, so the first boot may be problematic (e.g.
> GDM won't start). This would be a non-issue if paxrat was during
> (early) boot.
> 
> Subgraph OS does that using a live-config hook, which is of course not
> applicable in the general case. So I suggest adding a systemd unit
> file, or whatever appropriate solution the maintainers prefer.

I am not expert on writing systemd units, and I am unable to play with
this soon. So it would be great if you could propose a patch :-)

Maybe paxrat should also take this into account for systems relying on
sysvinit.

Cheers,

  -- Santiago

Bug#849864: paxrat: Please run paxrat during (early) boot

2017-01-01 Thread intrigeri 
Package: paxrat
Severity: wishlist
Version: 1.0-2
User: tails-...@boum.org
Usertags: hardening

Hi,

It's great that there's APT integration to take care of the package
installation and upgrade issue, but how about the first time one
reboots into their PaX-enabled kernel? Likely they won't have run
paxrat manually yet, so the first boot may be problematic (e.g.
GDM won't start). This would be a non-issue if paxrat was during
(early) boot.

Subgraph OS does that using a live-config hook, which is of course not
applicable in the general case. So I suggest adding a systemd unit
file, or whatever appropriate solution the maintainers prefer.

Cheers,
-- 
intrigeri