You are not logged in.

#1 2013-11-17 03:46:21

darrenldl
Member
Registered: 2013-06-04
Posts: 31

( Note: I gave up ) Grsecurity blocks UDP traffic(?) ( With Tomoyo )

Hello,

I recently obtained linux-grsec and related binaries from arsch.orgizm.net repo, which I assume uses default kernel compile options.

I was trying to use skype, which uses both UDP and TCP, while it works perfectly normal in stock kernel, certain parts of it doesn't in grsec.
From what I can see in wireshark capture,
in stock kernel, skype can generate UDP traffic and TCP as well,
however in grsec, skype can only generate TCP traffic, and DNS(no other UDP traffic can be seen in wireshark).

As a result, in grsec, I can chat with others(I guess since it's TCP traffic there?) , but I can't obtain the status(online, away, offline etc) of others' and mine, and can't voice chat as well(both are UDP based i guess?), the skype icon is also stuck at "connecting/loading" spinny wheel thingy.

I've been searching for the solution for a few days, and so far the only issue with skype and grsec on web I can find is pax flags of skype(which I configured already), none is about the traffic problem.

I'm currently using a laptop, rather than a server, so Grsecurity is most probably an overkill for me, but I kinda want to try it out, so far only skype is giving me issues.

Thank you for your time,
Darren.

Edit :
Updated title, mentioning that I was using it along with Tomoyo linux.

Edit2 :
I want to mark this like "case closed" cause I gave up, but apparently from Forum Etiquette(archwiki), I should not use the CLOSE mark, but I don't have a solution either, so I don't think I should use the SOLVED mark as well. So I just add a note before the title, sorry if I'm doing wrong here.
(If this is not helpful at all, please just delete the thread.)

Just some extra information, linux-grsec with Tomoyo linux enabled still works perfectly fine with Firefox(and possibly everything other than skype, can't be sure though)

Last edited by darrenldl (2013-11-19 14:28:50)

Offline

#2 2013-11-18 14:50:03

darrenldl
Member
Registered: 2013-06-04
Posts: 31

Re: ( Note: I gave up ) Grsecurity blocks UDP traffic(?) ( With Tomoyo )

Hello,

Sorry for the possible confusion there, as I didn't provide enough info.
I was trying to use Tomoyo linux and Grsecurity at the same time(RBAC was disabled though).

I tested my scenario on virtualbox, turns out Tomoyo linux might be causing the problem,
So I first installed linux-grsec on the virtual vanilla Arch, everything ran absolutely perfectly normal, skype can function normally.

So then I installed Tomoyo linux, I only used /usr/lib/tomoyo/init_policy to create a blank set of policies, then added boot options to grub,
everything still worked fine at that point.

But when I put my current tomoyo policies into the virtual Arch, then restart, skype no longer works properly.

For skype, I basically followed the policy of this wiki : https://wiki.archlinux.org/index.php/skype#TOMOYO
Which works perfectly fine in vanilla Arch for skype, but it makes skype unable to function in Grsec kernel.

Interestingly, under tomoyo-queryd in Grsec kernel, I noticed that skype was making two ioctl requests, which seem to be for IPv4/UDP,
those two request didn't appear when I was running vanilla Arch.

I should probably do the test all over again to make sure, but it's quite late at my area and I have tomorrow scheduled,
so I will just post anything new later.

Additional info :
I did an update just before the test, so everything's updated.
I used linux-grsec from arsch.orgizm.net, not linux-grsec-lts.

(My apologies if this seems messy to you, I typed it in a hurry.)

Thank you for your time,
Darren.

Offline

#3 2013-11-19 14:10:11

darrenldl
Member
Registered: 2013-06-04
Posts: 31

Re: ( Note: I gave up ) Grsecurity blocks UDP traffic(?) ( With Tomoyo )

Hello,

I replicated my scenario in virtualbox again, and skype couldn't even connect at all, in Grsec kernel, without tomoyo installed/enabled.
While ping(with ip address and domain name) is perfectly normal, so network connectivity is good and DNS services could be accessed.

In short, I give up, skype has never been my favourite application on Linux. If it's not for my friends, I would probably stay away from it and not even going to try poking it with a 10 metre long stick.

I'm guessing that Tomoyo linux on laptop is sufficient enough, cause I'm not hosting any form of services on my laptop, and I just use some generic restrictive iptables rules.
(Or even no MAC system present is good enough, but I'm just ultra paranoid of browsers' vulnerabilities)

Anywway, thank you for your time.
Sorry if you've spent some time investigating this, but I'm not willing to put an awful lot of effort into making my system compatible with skype, I'm not going to tilt everything upside down and inside out, mess around with tons of settings and afternoons and good coffee just to fit skype into my system.

Thank you for your time,
Darren

Offline

Board footer

Powered by FluxBB