FS#42347 - [linux-grsec] 3.15.8 and newer breaks polkitd

Attached to Project: Community Packages
Opened by Rick Deckard (Divinorum) - Sunday, 12 October 2014, 22:15 GMT
Last edited by Daniel Micay (thestinger) - Monday, 13 October 2014, 11:51 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Daniel Micay (thestinger)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

Since linux-grsec-3.15.8 (released in August) polkitd fails to start. This in turn causes network-manager to fail as well. This occurs with the recent linux-grsec-3.16.5 package as well. I am running the current 0.122-2 version of polkit.

A fix to a smiliar problem is described in [url=https://bbs.archlinux.org/viewtopic.php?pid=1186630#p1186630]this[/url] post. I turned off all pax-flags for /usr/lib/polkit-1/polkitd and this does not fix my problem.

The bugtracker at Gentoo mentions solutions to the polkitd / linux-grsec issue here:
[url=https://bugs.gentoo.org/show_bug.cgi?id=455938#c0]bug 455938[/url]
[url=https://bugs.gentoo.org/show_bug.cgi?id=472098#c20]bug 472098[/url]

The stated workaround is to add polkitd to the group specified in CONFIG_GRKERNSEC_PROC_GID in /proc/config.gz. For me CONFIG_GRKERNSEC_PROC_GID is not listed in /proc/config.gz so I cannot perform this workaround. The only readout in dmesg regarding polkitd after upgrading linux-grsec beyond the 3.15.5 version (the last one to work for me) is this:

[code]
[ 28.224975] traps: polkitd[921] trap int3 ip:336ee05dd00 sp:3df0701c5c0 error:0
[/code]

I am unsure if this is limited to Arch Linux as in two previous comments, one in [url=https://bugs.gentoo.org/show_bug.cgi?id=455938#c0]Gentoo[/url] and one in [url=https://bugs.freedesktop.org/show_bug.cgi?id=56628#c3]Bugzilla[/url], hint at this being an Arch Linux problem. On the other hand, Gentoo users have reported this same problem but then the stated workaround mitigates the problem.

Additional info:

* package version(s)
linux-grsec-3.15.8 and newer
polkit 0.122-2

* possible workarounds
add polkitd to the group specified in CONFIG_GRKERNSEC_PROC_GID in /proc/config.gz
turn off MPROTECT and RANDMAP for /usr/lib/polkit-1/polkitd
This task depends upon

Closed by  Daniel Micay (thestinger)
Monday, 13 October 2014, 11:51 GMT
Reason for closing:  Not a bug
Comment by Daniel Micay (thestinger) - Monday, 13 October 2014, 09:19 GMT
It works fine for me. The proc feature isn't enabled in the Arch package so that's not the issue. If you're enabling the PaX userspace features then it's expected that polkit and other software using JIT compilation will fail without exceptions. How did you try disabling MPROTECT and RANDMMAP for it? If you're using `paxd` as recommended by the wiki, it will already be handled for you.
Comment by Rick Deckard (Divinorum) - Monday, 13 October 2014, 11:42 GMT
Paxd handled the pax-flags for polkitd and solved the issue. I had been using paxctl before. Thanks for the support.
Comment by Daniel Micay (thestinger) - Monday, 13 October 2014, 11:45 GMT
Arch's linux-grsec package uses the modern extended attributes method of setting exceptions:

https://wiki.archlinux.org/index.php/PaX#PaX_exceptions
Comment by Daniel Micay (thestinger) - Monday, 13 October 2014, 11:51 GMT
paxctl uses the old ELF marking method, which is not supported.

Loading...