Closed tdwyer closed 10 years ago
nning
commented
11 years ago I would like to prevent deactivating MPROTECT for libreoffice if it is only neccessary for an extension. Maybe it could better be locally configured.
Also seahorse does not leave any indication in the logs on my machine.
tdwyer
commented
11 years ago I agree.
Just because some program wants to do something silly dose not me I should allow it to.
I think some of the reason I am seeing errors for programs that didn't have them before is do to me not allowing my user into the TPE-Trusted group. I'm going to wipe/reinstall both programs and track down exactly where their problem is.
tdwyer
commented
11 years ago Well, it dose not seem to be any of the add ons. I'm still tracking it down.
ftp://ftp.myrelay.net/tmp/soffice.bin.fail
Here is the stack trace. It seems LibreOffice dev's think making memory Read able, Writable, and Executable is the correct thing to do
Ya, like really? in what world dose that sound like a good idea....? It also tries to run a boat load of code from dot files in my home dir and 1777 /tmp dir That is even worse really, but I block that. Enabling pam_namespaces for tmp is a good idea too.
I say not this one. I'm going to try a few more things, but if it still is doing this. I'm not going to let it. I'm uninstalling LibreOffice. Frankly, any like real work I do i.e. paid work, or school I use MS office in a VM. So like, I'll just use AbiWord on Linux. AbiWord is coded properly, well. . . probably all code is junk from someones point of view. However, it dose not brake any of my security policies.
nning
commented
11 years ago Strange, if i freshly install LibreOffice (so that /usr/lib/libreoffice/program/soffice.bin has to PT_PAX_FLAGS header), it starts without any problems.
When I then convert the header, RANDEXEC and EMUTRAMP are disabled and LibreOffice does not start because of the denied RWX mmap.
After enabled everything but MPROTECT, it starts again. Did you experience the problems also with a fresh installation of libreoffice-common?
tdwyer
commented
11 years ago Ya, you know what. I'm trying to work through this from the reverse direction. I'm just installing one package at a time until it boots. Oddly, it will allow you to install libreoffice-writer without needed dependences....
In any case, I think the code the dose the RWX is like crash handling code. Like if LibreOffice is started and it dose not have required resources. That code runs and makes things good enough.
Like, each time I install a new dependency ( I'm going over strace -o output files ) the code gets farther along. Then hits another point where it needs something and that evel code runs to try and fix it but ends up crashing it.
---> So if you look at that original stack trace I have on my ftp. You will see that it is trying like crazy to load Cario Fonts, which I do not have installed. On my last install I did use Cario Fonts, the ubuntu-cario. Now I'm using infinality-ultimate ( infinality-bundle ) from the repo suggested in the Arch wiki ... well I do have cairo-infinality-ultimate installed? ... But I bet that if I installed those fonts soffice.bin would have everything it wants and so would not run that code and would not need MPROTECT disabled.
As for programs having built in PaX flags. Ya, from what I recall from my reading. The default Linux kernel Has many of the PaX capabilities by default. They just suck i.e. poorly implemented and don't really provide any security.
You can see these flags at the bottom of /proc/${PID}/status
Like I think it already has PEMRS Upstream PaX has PEMRS + X Upstream also has better implementations
Like I remember reading on the hardened gento docs that you should never have to disable PES because you would then be running a kernel less secure then default.
... I many be wrong about the exact options it has. I am like 80% sure default Linux dose not have M or R. I bet those are just planed to be moved in so they have flags already.
In any case. we are not running PaX in Soft Mode. So All flags should be enforced on, regardless of whatever the program wants., unless we personally go in and set pax flags to disable something.
I sure hope I am correct about that last part....
tdwyer
commented
11 years ago Ya, PeMRs is what ALL program have as the PaX value unless you configure paxflags yourself.
/proc>>> ls |grep 1 |while read -r PID do echo -n "${PID} ---> " grep PaX "${PID}"/status done 1 ---> PaX: PeMRs ..... 15466 ---> PaX: PeMRs 15471 ---> PaX: PeMRs 15473 ---> PaX: PeMRs .... 6165 ---> PaX: PEmrs zsh: exit 1
6165 is a program that had it's flags set.
nning
commented
10 years ago I oversaw a bit: You wrote, your user is not in the group tpe-trusted. I tested it here and Libreoffice also refuses to start:
The application can not be started.
Extension Manager: exception in synchronizeIn the journal, there are the following lines:
grsec: denied untrusted exec (due to not being in trusted group and file in non-root-owned directory) of /home/henning/.execoooyiXWrf by /usr/lib/libreoffice/program/soffice.bin[soffice.bin:2561]
grsec: denied untrusted exec (due to not being in trusted group and file in world-writable directory) of /tmp/.execooouzDaC0 by /usr/lib/libreoffice/program/soffice.bin[soffice.bin:2561] uid/euidMaybe they would understand, it's a bug..? ;-)
nning
commented
10 years ago nning
commented
10 years ago If TPE is activated, LibreOffice tries to RWX mmap, which also fails; so either TPE has to be deactivated or MPROTECT for soffice.bin. I will test, if it is a similar case with seahorse.
nning
commented
10 years ago Yes, same case (despite the fact, that seahorse does not crash without MPROTECT deactivated). With strace, I could not determine quickly, why seahorse tries RWX mmap.
Let's merge the pull request. Only problem would be, that soffice.bin oddly can not have a PSmXER PaX header, if TPE is disabled. Then, something like the following in /etc/pax-flags/skip.conf would be necessary:
PSmXER:
- /usr/lib/libreoffice/program/soffice.bin:
skip: trueThe discussion on the created bug report [0] is rather interesting, because the current behaviour of LibreOffice is a circumvention of SELinux preventing of RWX mmap [1]. grsecurity does not allow this with TPE activated.
[0] https://bugs.freedesktop.org/show_bug.cgi?id=72755 [1] https://issues.apache.org/ooo/show_bug.cgi?id=97320
I got sick of all the problems with KDE on hardened Linux. I've reinstalled Arch (to keep clean) and moved to xfce4. So, I've discovered a couple new programs that need flags.
Seahhorse gives the RWX errors but dose not crash I do think it was preventing it from opening some keyring folders.
Libreoffice /soffice.bin needs MPROTECT off on my new install. I think it is really caused by a plugin I installed. I never had a problem before.