# hardened-sources on the desktop

## serafean

Hi,

Not sure if this belongs to "security" or "desktop", move as appropriate.

I'm trying to run hardened-sources on the desktop (KDE and Kodi). The box boots to console OK, but ntp and GUI applications are a problematic.

NTP:

```
grsec: use of CAP_NET_ADMIN in chroot denied for /usr/sbin/ntpd[ntpd:952] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/ntpd[ntpd:926] uid/euid:0/0 gid/egid:0/0
```

I googled, and am a bit lost where the chroot comes from...

GUI apps:

First off, I had to disable CONFIG_GRKERNSEC_SYSFS_RESTRICT because for some reason GL apps (like kwin) need to access /sys/dev/char/226:0/device/uevent.

Now all KDE applications have logs in the kernel log : 

```
grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/konsole[konsole:1825] uid/euid:1002/1002 gid/egid:1002/1002, parent /usr/bin/kdeinit5[kdeinit5:1701] uid/euid:1002/1002 gid/egid:1002/1002
```

Kodi has the same : 

```
denied RWX mmap of <anonymous mapping> by /usr/lib64/kodi/kodi.bin[kodi.bin:2336] uid/euid:1001/1001 gid/egid:1001/1001, parent /usr/bin/kodi[kodi:2300] uid/euid:1001/1001 gid/egid:1001/1001
```

Kodi starts and runs more or less OK (with a crazy memory leak). KDE is unusable.

Anyone able to give me any pointers for a workable "hardened" desktop?

Thanks.

----------

## enZom

What you wanna look into is paxctl. Paxctl controls grsecurity's protections.

Imo read up on paxctl first, it's disabling the protections. -> man paxctl or just type paxctl and checkout the options.

paxctl -c /usr/bin/kodi

paxctl -C /usr/bin/kodi

paxctl -m /usr/bin/kodi

yada yada

----------

## ntnn

Instead of paxctl you should use paxctl-ng, which is setting both PT_PAX and XATTR_PAX.

See the wiki page: https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart#paxctl-ng

----------

## enZom

 *ntnn wrote:*   

> Instead of paxctl you should use paxctl-ng, which is setting both PT_PAX and XATTR_PAX.
> 
> See the wiki page: https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart#paxctl-ng

 

thx for the linkage, I didn't realize there was any info around for this.

----------

