Page 1 of 1

grsec vs. nvidia-kernel-common in xinit

PostPosted: Mon Dec 21, 2009 7:28 pm
by wishi
Hi folks!

I'm currently trying to build a (paxctl/grsec) policy for nvidia-kernel-common modules and my Xserver, that is loading the needed modules. I'm using 2.6.31.9 with the pre-configuration "high" security on 64bits.
- Boots up well, works fine. - The system is an ION platform, so this damn proprietary Nvidia stuff is needed. I'm well aware that this is not a grsec problem, but I just hope that somebody encountered similar problems and knows some helpful answers. It's not criticism or anything. Just a problem ;).

I runtime-compile the Nvidia kernel modules into the freshly compiled grsec kernel... and that works.
[code]
m-a a-i -i -t -f nvidia-kernel
[/code]

Afterwards I configure my Xserver:
[code]
Section "Module"
Load "dbe"
Load "extmod"
Load "type1"
Load "freetype"
Load "glx"
EndSection
[/code]

Finally a
[code]
% startx
[/code]

And the screen stays black. Time to read the logs - every linux-admin's dream comes true:

[code]
Dec 22 00:01:49 fuzzbox kernel: [ 905.156572] grsec: denied resource overstep by requesting 21 for RLIMIT_NICE against limit 0 for /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/startx[startx:3293] uid/euid:1000/1000 gid/egid:1000/1000
Dec 22 00:01:50 fuzzbox kernel: [ 905.834793] grsec: Segmentation fault occurred at 00007152891aade0 in /usr/bin/Xorg[Xorg:3311] uid/euid:1000/0 gid/egid:1000/0, parent /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000
[/code]

I paxctled xinit to -m, but I don't know... Just my general method that worked for VMware and Mono in the past on some other machines.
- Maybe I'm too tired.... But what's the issue here? It must be grsec specific... Sounds pretty reasonable for me that xinit gets a high priority. How do I configure that stuff to work now?


Thanks for help in advance,
wishi

Re: grsec vs. nvidia-kernel-common in xinit

PostPosted: Tue Dec 22, 2009 8:07 am
by Oscon
wishi wrote:Hi folks!

I'm currently trying to build a (paxctl/grsec) policy for nvidia-kernel-common modules and my Xserver, that is loading the needed modules. I'm using 2.6.31.9 with the pre-configuration "high" security on 64bits.
- Boots up well, works fine. - The system is an ION platform, so this damn proprietary Nvidia stuff is needed. I'm well aware that this is not a grsec problem, but I just hope that somebody encountered similar problems and knows some helpful answers. It's not criticism or anything. Just a problem ;).

Code: Select all
% startx


And the screen stays black. Time to read the logs - every linux-admin's dream comes true:

Code: Select all
Dec 22 00:01:50 fuzzbox kernel: [  905.834793] grsec: Segmentation fault occurred at 00007152891aade0 in /usr/bin/Xorg[Xorg:3311] uid/euid:1000/0 gid/egid:1000/0, parent /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000


I paxctled xinit to -m, but I don't know... Just my general method that worked for VMware and Mono in the past on some other machines.


Code: Select all
paxctl -m /usr/bin/Xorg
and not xinit.

Re: grsec vs. nvidia-kernel-common in xinit

PostPosted: Thu Dec 24, 2009 7:39 am
by wishi
I doubt that...
I configured + CAP_ALL, too - for Xorg. Doesn't help. Does anybody know how to allow that limits to be overstepped by certain select processes? The more I investigate the more I believe that this is some wired tuning cheat by the nvidia_kernel modules to rause the Xserver priority for performance reasons. Dunno...

Re: grsec vs. nvidia-kernel-common in xinit

PostPosted: Thu Dec 24, 2009 11:15 am
by Hugo Mildenberger
For changing limits look for /etc/security/limits.conf (or if that file does not exist, use ulimit before starting X)

But your real problem is this:
Dec 22 00:01:50 fuzzbox kernel: [ 905.834793] grsec: Segmentation fault occurred at 00007152891aade0 in /usr/bin/Xorg[Xorg:3311] uid/euid:1000/0 gid/egid:1000/0, parent /usr/bin/xinit[xinit:3310] uid/euid:1000/1000 gid/egid:1000/1000

Change limits.conf or use ulimit -c unlimited to get core dumps. With a core dump, debug symbols and gdb you could find where the /usr/bin/Xorg segfaults. It has certainly nothing to do with nice levels, but probably much with glx and therefore with the nvidia driver.

Re: grsec vs. nvidia-kernel-common in xinit

PostPosted: Tue Dec 29, 2009 10:52 am
by wishi
Dunno... I don't get any useable output. Even if I create an ACL and deactivate all limits... seems to be unsolvable for now without much RE. Didn't anyone find a solution. The setup Linux + nvidia isn't that uncommon... ;)

Re: grsec vs. nvidia-kernel-common in xinit

PostPosted: Tue Dec 29, 2009 1:51 pm
by specs
Do you really need the closed source drivers?
On my old athlon64 with nvidia chipset I currently the open source driver, since I'm too lazy to download the proprietary stuff each new kernel.

Also I always use "custom" for the security setting without "disable privileged I/O" for systems with X-server, although some work with the option enabled.