[qubes-users] Re: debian 8 grsec vs thunderbird
On 2017-05-31 1:04 PM, haaber wrote: >> and if grsec is killing processes you actually want to run, you can look >> at the logs, see what protection is being triggered, and can use >> paxctl/paxctld to disable it just for that executable or library. > > I tried, but I dd not learn anything useful. Here, for example, is a > sniplet of my syslog (sorry for broken long lines) > > May 21 22:21:15 localhost kernel: [ 717.509203] PAX: execution attempt >in: , 715894beb000-715894e5b000 715894beb000 > May 21 22:21:15 localhost kernel: [ 717.509216] PAX: terminating task: >/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java(java):5500, uid/euid: >0/0, PC: 715894beb060, SP: 71589f156488 > May 21 22:21:15 localhost kernel: [ 717.509222] PAX: bytes at PC: >85 f6 0f 84 11 00 00 00 0f ae f0 0f ae 3f 48 83 c7 40 ff ce > May 21 22:21:15 localhost kernel: [ 717.509239] PAX: bytes at SP-8: >71589f1564c0 71589daf685b 71589f156530 71589f156530 >71589f1564c0 71589de1a558 71589f156a40 71589f156a40 >71589f156a20 71589dee2f37 71589f156b40 > > how do you read off the protection that was being triggered in this ?? > Bernhard > Usually dmesg gives some hints, but most of the time it's the memory protection, so that's a good first thing to try. You can also google the executable and grsecurity and see what comes up since you're probably not the only one to encounter the issue. In this case, Java is well known to be incompatible with the full set of PAX protections. You could try disabling just the memory protections to see if that helps: sudo paxctl -cm /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java and/or if it doesn't, then disable a bunch more: sudo paxctl -cpemrxs /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java Java, WINE, and other things that emulate other things usually don't play nice with grsecurity and so you'll need to figure out which binaries or libraries grsec/pax is killing and modify their protection permissions to get them to run. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ogn4pf%24tle%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: debian 8 grsec vs thunderbird
> and if grsec is killing processes you actually want to run, you can look > at the logs, see what protection is being triggered, and can use > paxctl/paxctld to disable it just for that executable or library. I tried, but I dd not learn anything useful. Here, for example, is a sniplet of my syslog (sorry for broken long lines) May 21 22:21:15 localhost kernel: [ 717.509203] PAX: execution attempt in: , 715894beb000-715894e5b000 715894beb000 May 21 22:21:15 localhost kernel: [ 717.509216] PAX: terminating task: /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java(java):5500, uid/euid: 0/0, PC: 715894beb060, SP: 71589f156488 May 21 22:21:15 localhost kernel: [ 717.509222] PAX: bytes at PC: 85 f6 0f 84 11 00 00 00 0f ae f0 0f ae 3f 48 83 c7 40 ff ce May 21 22:21:15 localhost kernel: [ 717.509239] PAX: bytes at SP-8: 71589f1564c0 71589daf685b 71589f156530 71589f156530 71589f1564c0 71589de1a558 71589f156a40 71589f156a40 71589f156a20 71589dee2f37 71589f156b40 how do you read off the protection that was being triggered in this ?? Bernhard -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5cc7766e-d3fb-d1c7-774f-e03a6a735261%40web.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: debian 8 grsec vs thunderbird
On 2017-05-31 12:34 PM, haaber wrote: > Thank you very much Reg! That solves miraculously the problem. I was > playing with -E instead and it did not help me. At least I learned some > minimal experience with paxctl that way :)) Bernhard Lower case letters disable the specific protection and upper case letters enable them. So the 'm' disabled memory protections, and the 'E' would have enabled the emulation of trampolines. You can learn what all the options are by looking at paxctl's man page: man paxctl and if grsec is killing processes you actually want to run, you can look at the logs, see what protection is being triggered, and can use paxctl/paxctld to disable it just for that executable or library. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ogn3j8%24c0j%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: debian 8 grsec vs thunderbird
Thank you very much Reg! That solves miraculously the problem. I was playing with -E instead and it did not help me. At least I learned some minimal experience with paxctl that way :)) Bernhard On 05/31/2017 06:20 PM, Reg Tiangha wrote: > On 05/31/2017 04:59 AM, haaber wrote: >> Some update : the same happens with 4.9.20.grsec. The reason seems >> visible in ulimit -a: >> >> core file size (blocks, -c) 0 >> >> whereas thunderbird requests 4096 (whatsoever unit). Remains to >> understand /etc/security/limits.conf >> >> Bernhard > > systemd actually ignores /etc/security/limits.conf, although anything > launched by a gnome-terminal (and maybe some other things as well) does > respect that file. > > systemd looks at /etc/systemd/user.conf and /etc/systemd/system.conf > instead so if you're changing variables in limits.conf, you could try > setting them there as well. > > Or you can disable the memory protections on Thunderbird; that's what > coldkernel actually did by default if you used their paxctld > configuration, but it only had a listing for Icedove and not for > Thunderbird. > > You could add a listing under /etc/paxctld.conf for Thunderbird: > > /usr/lib/thunderbird/thunderbirdm > > and/or manually convert the executable with paxctl if you have it installed: > > sudo paxctl -cm /usr/lib/thunderbird/thunderbird > > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/716391a8-0379-5671-781f-999395456e19%40web.de. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Re: debian 8 grsec vs thunderbird
On 05/31/2017 04:59 AM, haaber wrote: > Some update : the same happens with 4.9.20.grsec. The reason seems > visible in ulimit -a: > > core file size (blocks, -c) 0 > > whereas thunderbird requests 4096 (whatsoever unit). Remains to > understand /etc/security/limits.conf > > Bernhard systemd actually ignores /etc/security/limits.conf, although anything launched by a gnome-terminal (and maybe some other things as well) does respect that file. systemd looks at /etc/systemd/user.conf and /etc/systemd/system.conf instead so if you're changing variables in limits.conf, you could try setting them there as well. Or you can disable the memory protections on Thunderbird; that's what coldkernel actually did by default if you used their paxctld configuration, but it only had a listing for Icedove and not for Thunderbird. You could add a listing under /etc/paxctld.conf for Thunderbird: /usr/lib/thunderbird/thunderbirdm and/or manually convert the executable with paxctl if you have it installed: sudo paxctl -cm /usr/lib/thunderbird/thunderbird -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ogmqg5%247ro%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.