You are not logged in.

#1 2012-11-01 00:16:48

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

polkit (0.105-1 -> 0.107-4) Brakes PaX support

When upgrading to polkit (0.105-1 -> 0.107-4) Many problems with PaX MPROTECT

With package 0.105-1 there are no problems with full PaX protections on everything.

freedesktop.org Bug
https://bugs.freedesktop.org/show_bug.cgi?id=56628

Last edited by hunterthomson (2012-11-01 04:27:38)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#2 2012-11-01 03:33:13

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: polkit (0.105-1 -> 0.107-4) Brakes PaX support

Setting -cPEmRXS /usr/lib/polkit-1/polkitd # Dose NOT solve the problem, Only fixes the RWX line

I realize that "grsecurity and PaX" are not officially supported by Archlinux. However, polkit should not be doing things that PaX blocks anyway. The only valid reason for a program to do funky stuff with memory is like if your program is a virtualization program i.e. KVM or Java VM

I have downgraded to 0.105-1 and all is well.
NOTE: No problems when booting with normal -ARCH kernel
What problems will I face staying on the old polkit-0.105-1 ?

grsec: denied RWX mmap of <anonymous mapping> by /usr/lib/polkit-1/polkitd[polkitd:1588] uid/euid:102/102 gid/egid:102/102, parent /usr/lib/systemd/systemd[systemd:1]
grsec: Segmentation fault occurred at 0000000000000010 in /usr/lib/polkit-1/polkitd[polkitd:1588]
grsec: bruteforce prevention initiated against uid 102, banning for 15 minutes
systemd[1]: Failed to start Authorization Manager.

dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
dbus-daemon[406]: dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
dbus[406]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out

Last edited by hunterthomson (2012-11-01 03:40:47)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#3 2012-11-01 04:26:14

ZekeSulastin
Member
Registered: 2010-09-20
Posts: 266

Re: polkit (0.105-1 -> 0.107-4) Brakes PaX support

You'll need to recompile polkit 0.105 with --enable-systemd, otherwise it'll break trying to use the now-removed ConsoleKit.

Last edited by ZekeSulastin (2012-11-01 04:31:36)

Offline

#4 2012-11-01 05:19:42

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: polkit (0.105-1 -> 0.107-4) Brakes PaX support

Awe...., maybe that is what the problem is i.e. systemd doing stuff that ConsoleKit use to do.

Like when I upgrade to polkit-0.107-4 then set paxctl -cPEmRXS /usr/lib/polkit-1/polkitd
I don't have any more problems with polkit I guess. It seems that the problem is systemd not being able to connect to dbus. However, there are no errors that help me find what bin's need security holes poked into them.

D-Bus seems to start...
Oct 31 18:49:44 walnut systemd[1]: Starting D-Bus System Message Bus Socket.
Oct 31 18:49:44 walnut systemd[1]: Listening on D-Bus System Message Bus Socket.
Oct 31 18:49:44 walnut systemd[1]: Starting D-Bus System Message Bus...
Oct 31 18:49:44 walnut systemd[1]: Started D-Bus System Message Bus.

But then I get errors like this....

Oct 31 18:50:24 walnut dbus-daemon[399]: dbus[399]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
Oct 31 18:50:24 walnut dbus[399]: [system] Failed to activate service 'org.freedesktop.ConsoleKit': timed out
Oct 31 18:50:24 walnut systemd-logind[401]: New session 1 of user bob.
Oct 31 18:50:24 walnut login[575]: LOGIN ON tty1 BY bob
Oct 31 18:50:24 walnut dbus-daemon[399]: dbus[399]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
Oct 31 18:50:24 walnut dbus[399]: [system] Failed to activate service 'org.freedesktop.PolicyKit1': timed out
Oct 31 18:50:24 walnut console-kit-daemon[1523]: console-kit-daemon[1523]: WARNING: polkit_authority_get: Error getting authority: Error
Oct 31 18:50:24 walnut console-kit-daemon[1523]: WARNING: polkit_authority_get: Error getting authority: Error initializing authority: E
Oct 31 18:50:24 walnut systemd[1]: Started Console Manager.

Last edited by hunterthomson (2012-11-01 05:25:02)


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#5 2012-11-01 05:33:09

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: polkit (0.105-1 -> 0.107-4) Brakes PaX support

I see I still have consolekit-0.4.6-4 installed and that is why polkit-0.105-1 still works.

if support for this is now removed from Archlinux this package should have been removed when I upgraded ya?

So, what do I need to fix then to make D-Bus work with systemd again?
/usr/lib/systemd/systemd-logind ?


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#6 2012-11-01 06:50:36

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: polkit (0.105-1 -> 0.107-4) Brakes PaX support

Awe, okay the dbus errors were "becuase" I still had consolekit installed... however now that it is removed "startx" nolonger works. I get no EE or WW in the log... I'll start a Newbie thread for that problem though.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#7 2012-11-13 02:06:29

phects
Member
Registered: 2010-08-31
Posts: 10

Re: polkit (0.105-1 -> 0.107-4) Brakes PaX support

The fun thing is:
polkit needs MPROTECT and RANDMMAP off because it's using SpiderMonkey as JavaScript engine. Why does polkit need a JavaScript engine, one might ask. For configuration. Of course...

See for example my adjuvant polkit configuration for libvirt. It prevents usage in even seconds.

polkit.addRule(function(action, subject) {
        if (action.id == 'org.libvirt.unix.manage' && subject.isInGroup('wheel') && ((new Date()).getSeconds() % 2)) {
                return polkit.Result.YES;
        }
});

Offline

Board footer

Powered by FluxBB