# Everything segfaults with grsecurity-patched kernel

## tomas_m

Hi, I'm new to Gentoo, so please forgive me if I forget some important information. Also my English isn't the best.

I installed Gentoo and everything worked fine. Then I switched to hardened Gentoo.

I selected the profile "hardened/linux/amd64/selinux", recompiled my toolchain, then the rest of the system, installed a hardened kernel and so on.

When I now boot into the grsec-kernel, applications like Firefox and even emerge segfault, even though I tried to mark them with paxctl as well as setfattr.

I can do work myself, I'd just need some pointer, thx.

Some information:

```
$ eselect profile list

...

[15]  hardened/linux/amd64/selinux *

....

```

My kernel:

```
$ eselect kernel list

[1]   linux-4.4.21-gentoo

[2]   linux-4.4.26-gentoo

[3]   linux-4.7.6-hardened *

```

The 1 and 2 work, with 3 I get the problems.

My grsecurity related settings in my config file

```
# Security options

#

#

# Grsecurity

#

CONFIG_PAX_PER_CPU_PGD=y

CONFIG_TASK_SIZE_MAX_SHIFT=42

CONFIG_PAX_USERCOPY_SLABS=y

CONFIG_GRKERNSEC=y

CONFIG_GRKERNSEC_CONFIG_AUTO=y

# CONFIG_GRKERNSEC_CONFIG_CUSTOM is not set

# CONFIG_GRKERNSEC_CONFIG_SERVER is not set

CONFIG_GRKERNSEC_CONFIG_DESKTOP=y

# CONFIG_GRKERNSEC_CONFIG_VIRT_NONE is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_GUEST is not set

CONFIG_GRKERNSEC_CONFIG_VIRT_HOST=y

CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y

# CONFIG_GRKERNSEC_CONFIG_VIRT_SOFT is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_XEN is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_VMWARE is not set

CONFIG_GRKERNSEC_CONFIG_VIRT_KVM=y

# CONFIG_GRKERNSEC_CONFIG_VIRT_VIRTUALBOX is not set

# CONFIG_GRKERNSEC_CONFIG_VIRT_HYPERV is not set

CONFIG_GRKERNSEC_CONFIG_PRIORITY_PERF=y

# CONFIG_GRKERNSEC_CONFIG_PRIORITY_SECURITY is not set

#

# Default Special Groups

#

CONFIG_GRKERNSEC_PROC_GID=10

#

# Customize Configuration

#

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_PT_PAX_FLAGS=y

CONFIG_PAX_XATTR_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_MPROTECT_COMPAT is not set

# CONFIG_PAX_ELFRELOCS is not set

CONFIG_PAX_KERNEXEC=y

CONFIG_PAX_KERNEXEC_PLUGIN=y

# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set

CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y

# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDKSTACK=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

#

# Miscellaneous hardening features

#

# CONFIG_PAX_MEMORY_SANITIZE is not set

# CONFIG_PAX_MEMORY_STACKLEAK is not set

# CONFIG_PAX_MEMORY_STRUCTLEAK is not set

# CONFIG_PAX_MEMORY_UDEREF is not set

CONFIG_PAX_REFCOUNT=y

CONFIG_PAX_CONSTIFY_PLUGIN=y

CONFIG_PAX_USERCOPY=y

# CONFIG_PAX_USERCOPY_DEBUG is not set

CONFIG_PAX_SIZE_OVERFLOW=y

CONFIG_PAX_LATENT_ENTROPY=y

CONFIG_PAX_RAP=y

#

# Memory Protections

#

CONFIG_GRKERNSEC_KMEM=y

# CONFIG_GRKERNSEC_IO is not set

CONFIG_GRKERNSEC_BPF_HARDEN=y

CONFIG_GRKERNSEC_PERF_HARDEN=y

CONFIG_GRKERNSEC_RAND_THREADSTACK=y

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_KSTACKOVERFLOW=y

CONFIG_GRKERNSEC_BRUTE=y

CONFIG_GRKERNSEC_MODHARDEN=y

CONFIG_GRKERNSEC_HIDESYM=y

CONFIG_GRKERNSEC_RANDSTRUCT=y

CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE=y

CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#

# Role Based Access Control Options

#

CONFIG_GRKERNSEC_NO_RBAC=y

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

# CONFIG_GRKERNSEC_PROC is not set

CONFIG_GRKERNSEC_LINK=y

# CONFIG_GRKERNSEC_SYMLINKOWN is not set

CONFIG_GRKERNSEC_FIFO=y

# CONFIG_GRKERNSEC_SYSFS_RESTRICT is not set

# CONFIG_GRKERNSEC_ROFS is not set

CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_RENAME=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

CONFIG_GRKERNSEC_CHROOT_INITRD=y

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

# CONFIG_GRKERNSEC_EXECLOG is not set

CONFIG_GRKERNSEC_RESLOG=y

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

CONFIG_GRKERNSEC_SIGNAL=y

# CONFIG_GRKERNSEC_FORKFAIL is not set

# CONFIG_GRKERNSEC_TIME is not set

CONFIG_GRKERNSEC_PROC_IPADDR=y

CONFIG_GRKERNSEC_RWXMAP_LOG=y

#

# Executable Protections

#

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_HARDEN_PTRACE=y

CONFIG_GRKERNSEC_PTRACE_READEXEC=y

CONFIG_GRKERNSEC_SETXID=y

CONFIG_GRKERNSEC_HARDEN_IPC=y

CONFIG_GRKERNSEC_HARDEN_TTY=y

# CONFIG_GRKERNSEC_TPE is not set

#

# Network Protections

#

CONFIG_GRKERNSEC_BLACKHOLE=y

CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Physical Protections

#

# CONFIG_GRKERNSEC_DENYUSB is not set

#

# Sysctl Support

#

CONFIG_GRKERNSEC_SYSCTL=y

CONFIG_GRKERNSEC_SYSCTL_ON=y

#

# Logging Options

#

# CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR is not set

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=6

CONFIG_KEYS=y

CONFIG_PERSISTENT_KEYRINGS=y

# CONFIG_BIG_KEYS is not set

CONFIG_ENCRYPTED_KEYS=m

# CONFIG_KEY_DH_OPERATIONS is not set

# CONFIG_SECURITY_DMESG_RESTRICT is not set

CONFIG_SECURITY=y

# CONFIG_SECURITYFS is not set

CONFIG_SECURITY_NETWORK=y

# CONFIG_SECURITY_NETWORK_XFRM is not set

# CONFIG_SECURITY_PATH is not set

# CONFIG_INTEL_TXT is not set

CONFIG_LSM_MMAP_MIN_ADDR=65536

CONFIG_SECURITY_SELINUX=y

CONFIG_SECURITY_SELINUX_BOOTPARAM=y

CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1

# CONFIG_SECURITY_SELINUX_DISABLE is not set

CONFIG_SECURITY_SELINUX_DEVELOP=y

# CONFIG_SECURITY_SELINUX_AVC_STATS is not set

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1

# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set

# CONFIG_SECURITY_SMACK is not set

# CONFIG_SECURITY_TOMOYO is not set

# CONFIG_SECURITY_APPARMOR is not set

# CONFIG_SECURITY_LOADPIN is not set

CONFIG_INTEGRITY=y

# CONFIG_INTEGRITY_SIGNATURE is not set

CONFIG_INTEGRITY_AUDIT=y

# CONFIG_IMA is not set

# CONFIG_EVM is not set

CONFIG_DEFAULT_SECURITY_SELINUX=y

# CONFIG_DEFAULT_SECURITY_DAC is not set

CONFIG_DEFAULT_SECURITY="selinux"

CONFIG_CRYPTO=y

```

Segfault messages I find in syslog:

```
Oct 24 14:39:18 thinkpad kernel: [  176.754425] grsec: Segmentation fault occurred at            (nil) in /opt/firefox/plugin-container[Web Content:3164] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/firefox/firefox[Gecko_IOThread:3035] uid/euid:1000/1000 gid/egid:1000/1000

Oct 24 14:39:18 thinkpad kernel: [  176.754518] grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /opt/firefox/plugin-container[Web Content:3164] uid/euid:1000/1000 gid/egid:1000/1000, parent /opt/firefox/firefox[Gecko_IOThread:3035] uid/euid:1000/1000 gid/egid:1000/1000

```

Or

```
Oct 24 01:33:10 thinkpad kernel: [15197.081753] pcmanfm[3424]: segfault at 18 ip 00007f706e0281b6 sp 00007ffcbca2af70 error 4 in libfm.so.4.0.3[7f706e010000+3a000]

```

Flags:

```
 sudo paxctl -v /opt/firefox/firefox                                                                                                                                     user@thinkpad

PaX control v0.9

Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/opt/firefox/firefox]

   MPROTECT is disabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

```

```
sudo paxctl -v /opt/firefox/plugin-container                                                                                                                            user@thinkpad

PaX control v0.9

Copyright 2004,2005,2006,2007,2009,2010,2011,2012,2014 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/opt/firefox/plugin-container]

   MPROTECT is disabled

   RANDEXEC is disabled

   EMUTRAMP is disabled

```

I did some research but it looks like Firefox should run with those PaX flags?

----------

## zorry

You have both CONFIG_PAX_PT_PAX_FLAGS=y and CONFIG_PAX_XATTR_PAX_FLAGS=y set

then you need to have the same marks on the binarys.

Check with paxctl-ng -v file

I would go with only xattr markings now days set.

----------

## tomas_m

wow that was fast, thank you so much.

that totally solved it, runs just fine now.

I somehow thought those options just give me the choice between header and file attribute flags.

apart from than my gentoo experience has been great so far, so thx for help and the work on gentoo

----------

