grsec vs. nvidia-kernel-common in xinit
Posted: Mon Dec 21, 2009 7:28 pm
Hi folks!
I'm currently trying to build a (paxctl/grsec) policy for nvidia-kernel-common modules and my Xserver, that is loading the needed modules. I'm using 2.6.31.9 with the pre-configuration "high" security on 64bits.
- Boots up well, works fine. - The system is an ION platform, so this damn proprietary Nvidia stuff is needed. I'm well aware that this is not a grsec problem, but I just hope that somebody encountered similar problems and knows some helpful answers. It's not criticism or anything. Just a problem ;).
I runtime-compile the Nvidia kernel modules into the freshly compiled grsec kernel... and that works.
[code]
m-a a-i -i -t -f nvidia-kernel
[/code]
Afterwards I configure my Xserver:
[code]
Section "Module"
Load "dbe"
Load "extmod"
Load "type1"
Load "freetype"
Load "glx"
EndSection
[/code]
Finally a
[code]
% startx
[/code]
And the screen stays black. Time to read the logs - every linux-admin's dream comes true:
[code]
Dec 22 00:01:49 fuzzbox kernel: [ 905.156572] grsec: denied resource overstep by requesting 21 for RLIMIT_NICE against limit 0 for /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/startx[startx:3293] uid/euid:1000/1000 gid/egid:1000/1000
Dec 22 00:01:50 fuzzbox kernel: [ 905.834793] grsec: Segmentation fault occurred at 00007152891aade0 in /usr/bin/Xorg[Xorg:3311] uid/euid:1000/0 gid/egid:1000/0, parent /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000
[/code]
I paxctled xinit to -m, but I don't know... Just my general method that worked for VMware and Mono in the past on some other machines.
- Maybe I'm too tired.... But what's the issue here? It must be grsec specific... Sounds pretty reasonable for me that xinit gets a high priority. How do I configure that stuff to work now?
Thanks for help in advance,
wishi
I'm currently trying to build a (paxctl/grsec) policy for nvidia-kernel-common modules and my Xserver, that is loading the needed modules. I'm using 2.6.31.9 with the pre-configuration "high" security on 64bits.
- Boots up well, works fine. - The system is an ION platform, so this damn proprietary Nvidia stuff is needed. I'm well aware that this is not a grsec problem, but I just hope that somebody encountered similar problems and knows some helpful answers. It's not criticism or anything. Just a problem ;).
I runtime-compile the Nvidia kernel modules into the freshly compiled grsec kernel... and that works.
[code]
m-a a-i -i -t -f nvidia-kernel
[/code]
Afterwards I configure my Xserver:
[code]
Section "Module"
Load "dbe"
Load "extmod"
Load "type1"
Load "freetype"
Load "glx"
EndSection
[/code]
Finally a
[code]
% startx
[/code]
And the screen stays black. Time to read the logs - every linux-admin's dream comes true:
[code]
Dec 22 00:01:49 fuzzbox kernel: [ 905.156572] grsec: denied resource overstep by requesting 21 for RLIMIT_NICE against limit 0 for /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/startx[startx:3293] uid/euid:1000/1000 gid/egid:1000/1000
Dec 22 00:01:50 fuzzbox kernel: [ 905.834793] grsec: Segmentation fault occurred at 00007152891aade0 in /usr/bin/Xorg[Xorg:3311] uid/euid:1000/0 gid/egid:1000/0, parent /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000
[/code]
I paxctled xinit to -m, but I don't know... Just my general method that worked for VMware and Mono in the past on some other machines.
- Maybe I'm too tired.... But what's the issue here? It must be grsec specific... Sounds pretty reasonable for me that xinit gets a high priority. How do I configure that stuff to work now?
Thanks for help in advance,
wishi