Arch Linux

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

How is your /etc/sysctl.d/05-grsecurity.conf setup? Steam will run only if the following line is commented out (#):

#kernel.grsecurity.tpe = 1

The only lines I edited on my file are:

kernel.pax.softmode = 0
kernel.grsecurity.disable_priv_io = 1

I'm running x86_64.

The error aside from all of the "unbound variable" is: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied"

Great, now I'm getting this one too.

EDIT: looks like Pax Flags are not set upon reboot. Weird. I just set the flags again and it worked.

EDIT: I think you need to allow Steam to run for the first time without mitigations in order for it to work later with mitigations. This worked for me.

I've tried a few things, including what you've mentioned. Reboots, applying all changes to configurations with sysctl --system, back and forth with a few different configurations with and without the Steam fix from the wiki, and nothing seems to want to give.

I'm going to keep reading around to see if there's any solution that isn't too hackish.

Amanda

Member

Registered: 2015-07-23

Posts: 37

Re: GRSecurity, Pax and Fglrx

I just re-installed my system and Steam is working fine except for the Mic bug. Here's what I did:

* Install Arch
* Install the Free drivers
* Reboot
* Install GRSec Kernel, edit syslinux boot lines, reboot
* Set pax "softmode" to 0 in -> /etc/sysctl.d/05-grsecurity.conf
* Reboot
* Install Steam

Now, at this point you'll want to make it download newer version of it's runtime, so:

find ~/.steam/root/ \( -name "libgcc_s.so*" -o -name "libstdc++.so*" -o -name "libxcb.so*" \) -print -delete

If you open Steam via Terminal now, it will download it's 200+ MB of updates, than fail to open, with this error:

/home/amanda/.local/share/Steam/ubuntu12_32/steam: error while loading shared libraries: cannot make segment writable for relocation: Permission denied

This is OK as you'll set NEW permissions to it. Remember I said "PEmRS" flags? I tested with "PemRS" and it worked. So:

setfattr -n user.pax.flags -v "PemRS" /home/amanda/.local/share/Steam/ubuntu12_32/steam

If you open Steam  now it will complain because you're using the Free drivers, so again you delete the old runtime:

find ~/.steam/root/ \( -name "libgcc_s.so*" -o -name "libstdc++.so*" -o -name "libxcb.so*" \) -print -delete

And then open Steam again

Remember, it's important to NOT have the following in your /etc/sysctl.d/05-grsecurity.conf:

kernel.grsecurity.tpe = 1

I remember Steam won't open if you comment this line out.

If you want, here's my /etc/sysctl.d/05-grsecurity.conf:

# All features in the kernel.grsecurity namespace are disabled by default.

#
# Disable PaX enforcement by default.
#
# The `paxd` package sets softmode back to 0 in a configuration file loaded
# after this one. It automatically handles setting exceptions from the PaX
# exploit mitigations after Pacman operations. Altering the setting manually
# rather than using `paxd` is not recommended.
#

kernel.pax.softmode = 0

#
# Memory protections
#

#kernel.grsecurity.disable_priv_io = 1
kernel.grsecurity.deter_bruteforce = 1

#
# Race free SymLinksIfOwnerMatch for web servers
#
# symlinkown_gid: http group
#

kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 33

#
# FIFO restrictions
#
# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
# unless the owner of the FIFO is the same owner of the directory it's held in.
#

kernel.grsecurity.fifo_restrictions = 1

#
# Deny any further rw mounts
#

#kernel.grsecurity.romount_protect = 1

#
# chroot restrictions (the commented options will break containers)
#

#kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_bad_rename = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1

#
# Kernel auditing
#
# audit_group: Restrict exec/chdir logging to a group.
# audit_gid: audit group
#

#kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_gid = 201
#kernel.grsecurity.exec_logging = 1
#kernel.grsecurity.resource_logging = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.audit_ptrace = 1
#kernel.grsecurity.audit_chdir = 1
#kernel.grsecurity.audit_mount = 1
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.rwxmap_logging = 1

#
# Executable protections
#

kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.harden_ipc = 1

#
# Trusted Path Execution
#
# tpe_gid: tpe group
#

#kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
#kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1

#
# Network protections
#
# socket_all_gid:    socket-deny-all group
# socket_client_gid: socket-deny-client group
# socket_server_gid: socket-deny-server group
#

#kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 202
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 203
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 204

#
# Prevent any new USB devices from being recognized by the OS.
#

#kernel.grsecurity.deny_new_usb = 1

#
# Restrict grsec sysctl changes after this was set
#

#kernel.grsecurity.grsec_lock = 1

Last edited by Amanda (2015-08-16 20:58:20)

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

I just re-installed my system and Steam is working fine except for the Mic bug. Here's what I did:

* Install Arch
* Install the Free drivers
* Reboot
* Install GRSec Kernel, edit syslinux boot lines, reboot
* Set pax "softmode" to 0 in -> /etc/sysctl.d/05-grsecurity.conf
* Reboot
* Install Steam

Now, at this point you'll want to make it download newer version of it's runtime, so:

find ~/.steam/root/ \( -name "libgcc_s.so*" -o -name "libstdc++.so*" -o -name "libxcb.so*" \) -print -delete

If you open Steam via Terminal now, it will download it's 200+ MB of updates, than fail to open, with this error:

/home/amanda/.local/share/Steam/ubuntu12_32/steam: error while loading shared libraries: cannot make segment writable for relocation: Permission denied

This is OK as you'll set NEW permissions to it. Remember I said "PEmRS" flags? I tested with "PemRS" and it worked. So:

setfattr -n user.pax.flags -v "PemRS" /home/amanda/.local/share/Steam/ubuntu12_32/steam

If you open Steam  now it will complain because you're using the Free drivers, so again you delete the old runtime:

find ~/.steam/root/ \( -name "libgcc_s.so*" -o -name "libstdc++.so*" -o -name "libxcb.so*" \) -print -delete

And then open Steam again

Remember, it's important to NOT have the following in your /etc/sysctl.d/05-grsecurity.conf:

kernel.grsecurity.tpe = 1

I remember Steam won't open if you comment this line out.

If you want, here's my /etc/sysctl.d/05-grsecurity.conf:

# All features in the kernel.grsecurity namespace are disabled by default.

#
# Disable PaX enforcement by default.
#
# The `paxd` package sets softmode back to 0 in a configuration file loaded
# after this one. It automatically handles setting exceptions from the PaX
# exploit mitigations after Pacman operations. Altering the setting manually
# rather than using `paxd` is not recommended.
#

kernel.pax.softmode = 0

#
# Memory protections
#

#kernel.grsecurity.disable_priv_io = 1
kernel.grsecurity.deter_bruteforce = 1

#
# Race free SymLinksIfOwnerMatch for web servers
#
# symlinkown_gid: http group
#

kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 33

#
# FIFO restrictions
#
# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
# unless the owner of the FIFO is the same owner of the directory it's held in.
#

kernel.grsecurity.fifo_restrictions = 1

#
# Deny any further rw mounts
#

#kernel.grsecurity.romount_protect = 1

#
# chroot restrictions (the commented options will break containers)
#

#kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_bad_rename = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1

#
# Kernel auditing
#
# audit_group: Restrict exec/chdir logging to a group.
# audit_gid: audit group
#

#kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_gid = 201
#kernel.grsecurity.exec_logging = 1
#kernel.grsecurity.resource_logging = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.audit_ptrace = 1
#kernel.grsecurity.audit_chdir = 1
#kernel.grsecurity.audit_mount = 1
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.rwxmap_logging = 1

#
# Executable protections
#

kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.harden_ipc = 1

#
# Trusted Path Execution
#
# tpe_gid: tpe group
#

#kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
#kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1

#
# Network protections
#
# socket_all_gid:    socket-deny-all group
# socket_client_gid: socket-deny-client group
# socket_server_gid: socket-deny-server group
#

#kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 202
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 203
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 204

#
# Prevent any new USB devices from being recognized by the OS.
#

#kernel.grsecurity.deny_new_usb = 1

#
# Restrict grsec sysctl changes after this was set
#

#kernel.grsecurity.grsec_lock = 1

That appears to be exactly what I tried at one point, but to be certain, I'll try it again as you instructed.

Amanda

Member

Registered: 2015-07-23

Posts: 37

Re: GRSecurity, Pax and Fglrx

BlueYoshi, it seems you're more experienced in this than I. Do you know how to set the flags to the entire Steam directory? I've been looking for hours and couldn't find how to do it.

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

BlueYoshi, it seems you're more experienced in this than I. Do you know how to set the flags to the entire Steam directory? I've been looking for hours and couldn't find how to do it.

I'm actually not. I'm just searching around for a solution as well, and all I can find is instructions for TPE for either a whitelist or blacklist model, but I'm also new to grsec/pax and don't know if that's safe or recommended.

I just got home and am going to do a second attempt on what you outlined earlier.

Last edited by BlueYoshi (2015-08-17 01:13:06)

Amanda

Member

Registered: 2015-07-23

Posts: 37

Re: GRSecurity, Pax and Fglrx

Well, finally I was able to solve the bug where testing the mic will cause Steam to crash, and this bug is also related to not being able to see the comments or opening the store.

It is one of the following files, so wait for an update:

setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/chromehtml.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/crashhandler.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/driverhelper.py
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/filesystem_stdio.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/friendsui.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/gameoverlayrenderer.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/gameoverlayui
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/gameoverlayui.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/html5app_steam
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/icudtl.dat
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libaudio.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libav_h264.so.56.crypt
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libavcodec.so.56
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libavformat.so.56
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libavresample.so.2
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libavutil.so.54
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libcef.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libffmpegsumo.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libicui18n.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libicuuc.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libmiles.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libopenvr_api.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/liboverride.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libpdf.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libSDL2-2.0.so.0
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libsteam.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libswscale.so.3
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libtier0_s.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libv8.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libvideo.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libvstdlib_s.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/libx264.so.142.crypt
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/natives_blob.bin
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/serverbrowser.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/snapshot_blob.bin
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/steam
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/steamclient.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/steamservice.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/steamui.so
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/steamwebhelper
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/streaming_client
setfattr -n user.pax.flags -v "pemrs" /home/amanda/.steam/steam/ubuntu12_32/vgui2_s.so

Could you set (as root) "sysctl kernel.pax.softmode=1" and see if Steam opens?

EDIT: Allowing the following solved pretty much every problem I encountered so far, including in-game-FPS-Counter, GameOverlay, Store, etc:

setfattr -n user.pax.flags -v "PemRS" /home/amanda/.local/share/Steam/ubuntu12_32/steam
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.local/share/Steam/steam.sh
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/friendsui.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/gameoverlayrenderer.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/gameoverlayui
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/gameoverlayui.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/serverbrowser.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/snapshot_blob.bin
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/steam
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/steamclient.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/steamservice.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/steamui.so
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/steamwebhelper
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/streaming_client
setfattr -n user.pax.flags -v "PemRS" /home/amanda/.steam/steam/ubuntu12_32/vgui2_s.so

Last edited by Amanda (2015-08-17 02:13:00)

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

1.

# sysctl kernel.pax.softmode=1

2. I run this once, and then try running 'steam' after.

find ~/.steam/root/ \( -name "libgcc_s.so*" -o -name "libstdc++.so*" -o -name "libxcb.so*" \) -print -delete

3. Steam fails to run and returns error about missing drivers, so I Ctrl+C, and delete runtimes again like above, It gets a bit farther this time.

4. I delete runtimes yet again and run 'steam'. It's somehow now working and opening the login window.

I don't know what exactly it is, but this appears to work when using softmode.

Amanda

Member

Registered: 2015-07-23

Posts: 37

Re: GRSecurity, Pax and Fglrx

I think you're setting the kernel back to "hard" mode and not setting the permissions to the Steam executables. It's the only logical explanation.

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

I think you're setting the kernel back to "hard" mode and not setting the permissions to the Steam executables. It's the only logical explanation.

Here's my grsec configuration, not really sure what's going on with why Steam is running:

Edit: Ah wait, you're right. It got turned to 0.

# All features in the kernel.grsecurity namespace are disabled by default.

#
# Disable PaX enforcement by default.
#
# The `paxd` package sets softmode back to 0 in a configuration file loaded
# after this one. It automatically handles setting exceptions from the PaX
# exploit mitigations after Pacman operations. Altering the setting manually
# rather than using `paxd` is not recommended.
#

kernel.pax.softmode = 0

#
# Memory protections
#

#kernel.grsecurity.disable_priv_io = 1
kernel.grsecurity.deter_bruteforce = 1

#
# Race free SymLinksIfOwnerMatch for web servers
#
# symlinkown_gid: http group
#

kernel.grsecurity.enforce_symlinksifowner = 1
kernel.grsecurity.symlinkown_gid = 33

#
# FIFO restrictions
#
# Prevent writing to a FIFO in a world-writable sticky directory (e.g. /tmp),
# unless the owner of the FIFO is the same owner of the directory it's held in.
#

kernel.grsecurity.fifo_restrictions = 1

#
# Deny any further rw mounts
#

#kernel.grsecurity.romount_protect = 1

#
# chroot restrictions (the commented options will break containers)
#

#kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_bad_rename = 1
#kernel.grsecurity.chroot_deny_chmod = 1
#kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_fchdir = 1
#kernel.grsecurity.chroot_deny_mknod = 1
#kernel.grsecurity.chroot_deny_mount = 1
#kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_findtask = 1
#kernel.grsecurity.chroot_restrict_nice = 1

#
# Kernel auditing
#
# audit_group: Restrict exec/chdir logging to a group.
# audit_gid: audit group
#

#kernel.grsecurity.audit_group = 1
kernel.grsecurity.audit_gid = 201
#kernel.grsecurity.exec_logging = 1
#kernel.grsecurity.resource_logging = 1
#kernel.grsecurity.chroot_execlog = 1
#kernel.grsecurity.audit_ptrace = 1
#kernel.grsecurity.audit_chdir = 1
#kernel.grsecurity.audit_mount = 1
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
kernel.grsecurity.rwxmap_logging = 1

#
# Executable protections
#

kernel.grsecurity.harden_ptrace = 1
kernel.grsecurity.ptrace_readexec = 1
kernel.grsecurity.consistent_setxid = 1
kernel.grsecurity.harden_ipc = 1

#
# Trusted Path Execution
#
# tpe_gid: tpe group
#

#kernel.grsecurity.tpe = 1
kernel.grsecurity.tpe_gid = 200
#kernel.grsecurity.tpe_invert = 1
kernel.grsecurity.tpe_restrict_all = 1

#
# Network protections
#
# socket_all_gid:    socket-deny-all group
# socket_client_gid: socket-deny-client group
# socket_server_gid: socket-deny-server group
#

#kernel.grsecurity.ip_blackhole = 1
kernel.grsecurity.lastack_retries = 4
kernel.grsecurity.socket_all = 1
kernel.grsecurity.socket_all_gid = 202
kernel.grsecurity.socket_client = 1
kernel.grsecurity.socket_client_gid = 203
kernel.grsecurity.socket_server = 1
kernel.grsecurity.socket_server_gid = 204

#
# Prevent any new USB devices from being recognized by the OS.
#

#kernel.grsecurity.deny_new_usb = 1

#
# Restrict grsec sysctl changes after this was set
#

#kernel.grsecurity.grsec_lock = 1

Last edited by BlueYoshi (2015-08-17 03:22:45)

Amanda

Member

Registered: 2015-07-23

Posts: 37

Re: GRSecurity, Pax and Fglrx

It's OK if it's set to 0. You need to set Pax permissions to Steam, and the first thing to do is:

setfattr -n user.pax.flags -v "PemRS" /home/YOURUSER/.local/share/Steam/ubuntu12_32/steam

Change the "YOURUSER" part to your username.

If softmode is 0 and you haven't set custom permissions to Steam then obviously it won't open hehehehehe

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

It's OK if it's set to 0. You need to set Pax permissions to Steam, and the first thing to do is:

setfattr -n user.pax.flags -v "PemRS" /home/YOURUSER/.local/share/Steam/ubuntu12_32/steam

Change the "YOURUSER" part to your username.

If softmode is 0 and you haven't set custom permissions to Steam then obviously it won't open hehehehehe

I remember setting that permission the other day. Steam actually is running with hard, but what I'm trying to find now is where all the custom PaX permissions are stored so I can test with and without permissions.

Edit: I just tried running CS 1.6 and it appears to run perfectly. The only permission I have set is the PeMRS on 'ubuntu12_32/steam' that I had set the other day. Also again, it's still set on hard. Trying to confirm if I can get it to run now without any user flags whatsoever.

Last edited by BlueYoshi (2015-08-17 04:22:25)

Amanda

Member

Registered: 2015-07-23

Posts: 37

Re: GRSecurity, Pax and Fglrx

Please report back if you can use your Mic while in-game, with only that pax rule you mentioned.

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

Please report back if you can use your Mic while in-game, with only that pax rule you mentioned.

I'll try and see if I can use a mic tonight, but I don't ever use one.

I just tried running Steam after starting up my computer today. It gave the typical 'unbound variable' errors, so I checked to see what the issue was. I tried running the command to delete runtimes again, however, they did not exist, so that wasn't it.

And then, even though I'm fairly certain I did not set the "PemRS" flag on /steam yesterday, it was running while on hard mode. I tried setting it just now, and steam successfully runs.

So now I'm unsure what allowed it to run yesterday, but today I'm certain it's the "PemRS" flag.

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

Okay, now Counter-Strike won't run at all without any changes having been made since I last used it.

I'm beginning to think PaX daemon is a conscious being just trying to torment me.

I'm going to uninstall, switch back to normal 'linux', and then reinstall doing trial and error from step 1.

Last edited by BlueYoshi (2015-08-18 05:10:14)

BlueYoshi

Member

Registered: 2015-03-14

Posts: 62

Re: GRSecurity, Pax and Fglrx

Just tested quite a few things.

The one thing I will note first is that "PeMRS" seems to fail every time, but "PemRS" will work to a certain point.

I uninstalled and reinstalled both linux-grsec and paxd a few times, starting from the bottom up. I also tested Steam/Counter-Strike on the normal Linux kernel on a particular server (0 issues on normal kernel, and used the same server to determine if grsec/paxd were causing a certain issue)

linux-grsec+paxd or just linux-grsec alone will allow Steam to run in soft or hard mode, however it will not allow Counter-Strike unless "PemRS" is set on '/ubuntu12_32/steam'. The issue I'm noticing is that either paxd or possibly linux-grsec is causing an issue where servers are recognizing my system as a "Fake client". I did not have to set permissions on Counter-Strike, just Steam. Some servers/games worked, some didn't. The ones that didn't used the port 27000 range, and I've read there's an issue with that around, and I don't know if grsec blocks it or something.

As for microphone, I tried earlier on in voice test in options. It worked, but there was a lot of strange noise surrounding it, and I don't know if that's normal. Was it not working for you anywhere, or just in game?

I'm guessing what needs to be done is a recursive wildcard flag for "PemRS" on all of '/home/user/.steam/*' and '/home/user/.local/share/Steam/*'. Main issue being I don't know if that's even possible.

Edit: I'm at a loss for words.. all of a sudden, it's working. All I have is linux-grsec (no paxd), I believe one single rule for "PemRS" on '/ubuntu12_32/steam'. It was not working not 20 minutes ago with the exact same scenario, I believe. All I've done since then is notice that shadow.service had failed and did a few 'systemctl reset-failed' and 'systemctl daemon-reload'. I even rebooted, and it's still working. I just have no idea what's making it work.

2nd Edit: I've rebooted yet again after installing paxd, and checked my systemd services to ensure nothing had failed. Still, Steam and Counter-Strike appear to work without any issue.

Last edited by BlueYoshi (2015-08-18 08:07:13)