# [Solved] Having issues with google-chrome/hardened-srcs

## spidark

Hi,

Im sure there are some security experts here, that could point me or help me understand whats going on with the google-chrome binary package.

First let me try to explain my setup.

Its a Lenovo t410 Laptop with two users ,one for daily use and the other is  a guest account that's not into wheel group.

Guest account is used to play music ... browse pictures  ,etc.

Work account is for daily use and to update gentoo.

Now i'm no expert and gave Gentoo Hardened a try for educational purposes.

I have almost everything selected but....

```

CONFIG_GRKERNSEC_SYSFS_RESTRICT ( which breaks xfce4-sensors as normal user )
```

I know its a laptop, but it's setup as below.

```
Grsecurity                                                                                       

                            Configuration Method (Automatic)  --->                                                         

                            Usage Type (Server)  --->                                                                     

                            Virtualization Type (None)  --->                                                               

                            Required Priorities (Security)  --->                                                            

                            Default Special Groups  --->                                                                    

                            Customize Configuration  --->

 
```

I also have 

```
CONFIG_GRKERNSEC_SYMLINKOWN and CONFIG_GRKERNSEC_SYMLINKOWN_GID 
```

 setup

Why ?

paranoid i guess.

The only issues i have with this setup is google-chrome

Yup im lazy to compile Chromium, and use the binary version of google-chrome.

The main users id is 

```
 uid=1000(mainuser) gid=1000(mainuser) groups=1000(mainuser),10(wheel),18(audio),100(users),104(plugdev)
```

The Guest users if of course 

```
uid=1001(guest) gid=1001(guest) groups=1001(guest),18(audio),100(users)
```

I just want to be sure that google-chrome is safe.

Google chrome still launches but gives these log erros.

```
kernel] [   24.561571] grsec: denied following symlink /proc/2838/exe since symlink owner 1001 does not match target owner 0,

 by /opt/google/chrome/nacl_helper[nacl_helper:2838] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome-sandbox[chrome-sa

ndbox:2837] uid/euid:1001/1001 gid/egid:1001/1001

 [kernel] [   24.561602] traps: nacl_helper[2838] general protection ip:2af9f438318 sp:3ad3950e4f0 error:0 in libc-2.20.so[2af9

f400000+1a1000]

 [kernel] [   24.561619] grsec: Segmentation fault occurred at            (nil) in /opt/google/chrome/nacl_helper[nacl_helper:2

838] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome-sandbox[chrome-sandbox:2837] uid/euid:1001/1001 gid/egid:1001/100

1

 [kernel] [   24.997246] grsec: denied following symlink /proc/2857/exe since symlink owner 1001 does not match target owner 0,

 by /opt/google/chrome/chrome[Chrome_ProcessL:2857] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome[Chrome_ProcessL:28

52] uid/euid:1001/1001 gid/egid:1001/1001
```

Thanks in advanced, and sorry if this is duplicate question of not understood question.

----------

## spidark

Solved!

I  have /opt on a separate Partition and mounted with nosuid

```

/opt             ext4        noatime,nodev,discard                     0  2

removed nosuid

```

with suid i got 

```
[kernel] [   24.561602] traps: nacl_helper[2838] general protection ip:2af9f438318 sp:3ad3950e4f0 error:0 in libc-2.20.so[2af9

f400000+1a1000]

 [kernel] [   24.561619] grsec: Segmentation fault occurred at            (nil) in /opt/google/chrome/nacl_helper[nacl_helper:2

838] uid/euid:1001/1001 gid/egid:1001/1001, parent /opt/google/chrome/chrome-sandbox[chrome-sandbox:2837] uid/euid:1001/1001 gid/egid:1001/100 
```

And crashed all the time, did not pay close attention to the error message.

And running chrome from the  command line gave more clues.

Funny chrome runs just fine on a non grsec patched kernel  :Confused:   with /opt mounted with nosuid   :Confused: 

Anyway for those interested its working.

It runs fine on grsec patched kernel with these PAX flags.

```
- PaX flags: P-S--m-x-eR- [chrome]

   PAGEEXEC is enabled

   SEGMEXEC is enabled

   MPROTECT is disabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

   RANDMMAP is enabled

- PaX flags: P-S--m-x-eR- [nacl_helper]

   PAGEEXEC is enabled

   SEGMEXEC is enabled

   MPROTECT is disabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

   RANDMMAP is enabled

- PaX flags: P-S--m-x-eR- [chrome-sandbox]

   PAGEEXEC is enabled

   SEGMEXEC is enabled

   MPROTECT is disabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

   RANDMMAP is enabled

```

Cheers.

----------

