# Gdk-WARNING **: shmat failed on 3.1.1-hardened at firefox

## miroR

This is what my firefox-bin (it is -bin, it's linked to -bin) gives me at start:

```
$ firefox

(firefox:9480): Gdk-WARNING **: shmat failed: error 13 (Permission denied)

```

Google gave me nothing a short while ago for this search, literal input, with quotes:

```
site:gentoo.org  "Gdk-WARNING" shmat permission
```

The error is followed by very poor functioning of the firefox-bin program that has no history to show whatsoever, no bookmarks, addons not functioning (such as the very useful session manager addon). 

Being on amd64 machine and needing flash (youtube, vimeo, or other), my easy choice is firefox-bin and emul-linux-x86-java IIRC.

That error I got on starting firefox-bin with newer kernels:

vmlinuz-3.0.8-hardened

vmlinuz-3.1.1-hardened-r1

Reverting to the older kernel:

2.6.39-hardened-r8

that error does not appear. Firefox is back, reliable, all sessions there, history, bookmarks, you name it.

The error remained after I reverted to firefox-7 from firefox-8.0 which was the first thing I suspected (wrongly).

As common user, I understand to limited extent what kind of error it is. Best read I found is here:

http://sourceforge.net/mailarchive/forum.php?thread_name=1085919883.3471.14.camel%40linux.littlegreen&forum_name=inkscape-devel

It is probably not grsecurity (no SELinux, thanks a bunch!, never!) related,  Or pax?

https://grsecurity.net/pipermail/grsecurity/2005-July/000501.html

It seems to be also kernel related, doesn't it?

I suppose this issue is probably not strictly gentoo related, but I don't know to what extent it still might be so.

I'll be back to see if others have this issue.

----------

## miroR

Oh, yes! I remember now!

It must be hardened Gentoo related!

Because with the 3 kernels I wasn't able to even start my tor-browser!

Actually, I wasn't even able to mount as regular user the /dev/sdf2 partition on my USB-stick where Tor is untarred into! Never mind I stuck:

```
/dev/sdf2               /mnt/sdf2       ext4            rw,user,exec,suid,noauto        0 0
```

in /etc/fstab!

Sorry I didn't take down the messages literally like I did for firefox in the previous post!

But it did complain something about not having permissions.

I mean I am actually now browsing both with firefox-bin regular portage install and standalone tor-browser 64bit with 2.6.39-hardened kernel!

So it's the 3 hardened Gentoo kernels issue!

----------

## miroR

Same tough luck with 3.1.3-hardened!

Very similar issue is being worked on by creator of grsecurity, see link below.

At least I think it's the solution to my issue soon coming my way as well!

Take a gander:

http://forums.grsecurity.net/viewtopic.php?f=3&t=2910

----------

## miroR

I think I have found the solution.

The line (the latest one, I mean; there were many and they were only waiting for me to study the docs and kernel help, and figure them out) from /var/log/kern.log:

```
Dec  7 19:15:14 at8-g250-c kernel: [ 3446.419838] grsec: (default:D:/) denied untrusted exe

c of /home/miro/.mozilla/firefox/uoryy6fd.default/places.sqlite-shm by /opt/firefox/firefox

[firefox:5401] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:5203] uid/euid:

1000/1000 gid/egid:1000/1000

```

or this one (many as well, I offer for your gander-taking just the latest before quitting firefox and giving another go at grsecurity forums and the wikibook) from /var/log/grsec.log:

```
... sparing you, I checked it, it's literally exactly same line...
```

That was before quitting firefox and browsing with opera... But neither can opera install any addons, but never mind, I think I got the solution now...

Here, after reading this:

http://forums.grsecurity.net/viewtopic.php?f=3&t=2468&p=10137&hilit=denied+untrusted+exec&sid=55f349daab07f9043789e848f9a75c1d#p10137

I started figuring out what really was the case (I might still be wrong but I am betting I figured it out).

Here is the sole changes that I made. I'll give you just the diff btwn the kernel ( I settled for the latest hardened stable:

```
3.0.4-hardened-r5-111206_2000
```

( that is just my local version at end, just the approx time, that you would get if you issued:

# date +%y%m%d_%H%M ) )

and the new one that has just compiled and installed in /boot:

```
3.0.4-hardened-r5-111208_0000
```

So, as I said, just the diff.

```
# diff /boot/config-3.0.4-hardened-r5-111206_2000 /boot/config-3.0.4-hardened-r5-111208_0000

64c64

< CONFIG_LOCALVERSION="-111206_2000"

---

> CONFIG_LOCALVERSION="-111208_0000"

2983,2984c2983,2984

< # CONFIG_GRKERNSEC_TPE_INVERT is not set

< CONFIG_GRKERNSEC_TPE_GID=100

---

> CONFIG_GRKERNSEC_TPE_INVERT=y

> CONFIG_GRKERNSEC_TPE_GID=1000

# 
```

In other words TPE_INVERT means the group 1000 (which I belong to when I log in as regular user, they may have changed the standard group number in the meantime, but I still have things from my year 2006 gentoo CD! It's only with Gentoo you can have it marvelous like that! Never one single reinstall in all these years.But I was saying, the default 100 was wrong for me.).

And I was saying TPE_INVERT, trusted path execution inversion meant the restriction will be *disabled* for that group.

Truly, my sole kernel that didn't have an issue with places.sqlite-shm file in ~/.mozilla/firefox/[salt-number].default dir was the only one that had no TPE enabled at all. It's not a question of kernel version, but of TPE.

Here:

```
at8-g250-c MyVideos # grep -r TPE /boot/config*

/boot/config:CONFIG_GRKERNSEC_TPE=y

/boot/config:CONFIG_GRKERNSEC_TPE_ALL=y

/boot/config:CONFIG_GRKERNSEC_TPE_INVERT=y

/boot/config:CONFIG_GRKERNSEC_TPE_GID=1000

/boot/config-2.6.39-hardened-r8-110824_1900:# CONFIG_GRKERNSEC_TPE is not set

/boot/config-2.6.39-hardened-r8-111017_0000:# CONFIG_GRKERNSEC_TPE is not set

/boot/config-3.0.4-hardened-r5-111206_2000:CONFIG_GRKERNSEC_TPE=y

/boot/config-3.0.4-hardened-r5-111206_2000:CONFIG_GRKERNSEC_TPE_ALL=y

/boot/config-3.0.4-hardened-r5-111206_2000:# CONFIG_GRKERNSEC_TPE_INVERT is not set

/boot/config-3.0.4-hardened-r5-111206_2000:CONFIG_GRKERNSEC_TPE_GID=100

/boot/config-3.0.4-hardened-r5-111208_0000:CONFIG_GRKERNSEC_TPE=y

/boot/config-3.0.4-hardened-r5-111208_0000:CONFIG_GRKERNSEC_TPE_ALL=y

/boot/config-3.0.4-hardened-r5-111208_0000:CONFIG_GRKERNSEC_TPE_INVERT=y

/boot/config-3.0.4-hardened-r5-111208_0000:CONFIG_GRKERNSEC_TPE_GID=1000

...[snip]... 
```

I spare you some two dozen lines here, that's how slow I was to figure this out, that many kernels slow! Help!  :Embarassed:   ]..

```
...[snip]...

/boot/config-3.1.4-hardened-111205_1900_no_rbac:CONFIG_GRKERNSEC_TPE_ALL=y

/boot/config-3.1.4-hardened-111205_1900_no_rbac:# CONFIG_GRKERNSEC_TPE_INVERT is not set

/boot/config-3.1.4-hardened-111205_1900_no_rbac:CONFIG_GRKERNSEC_TPE_GID=100

/boot/config.old:CONFIG_GRKERNSEC_TPE=y

/boot/config.old:CONFIG_GRKERNSEC_TPE_ALL=y

/boot/config.old:# CONFIG_GRKERNSEC_TPE_INVERT is not set

/boot/config.old:CONFIG_GRKERNSEC_TPE_GID=100

#
```

I go and set the system for reboot now.

Again, I only bet. I don't know. I only got left to pray to God that I got it right.

----------

## miroR

Yes, I was right!

Works now.

And I wish two things now.

To thank, after God, also the smart Gentoo people who make the nuts and bolts of this great Gentoo Gnu Linux work!

And to kindly ask you: let go of SElinux as default in the hardened kernel. Set grsecurity/pax as default!

I don't ask that for myself. I disable it first thing when I lay my hands on a new hardened kernel.

But for the newbies! They'll only have more hard time than necessary for as long as that SELinux is kept being touted around...

----------

## miroR

The current title of this topic: "Gdk-WARNING **: shmat failed on 3.1.1-hardened at firefox" is misleading.

I mean, I still get the error, pasting:

```
(plugin-container:5361): Gdk-WARNING **: shmat failed: error 13 (Permission denied)
```

upon issuing

```
# firefox
```

But everything works there.

No permission denied fro tor-browser either.

And also simple scripts execute in current directory (they wouldn't wherever TPE was enabled, unless also TPE_INVERTED was as well).

----------

