Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#44568 - [linux-grsec] grsec: denied exec of usermode helper binary ... located outside of /sbin
Attached to Project:
Community Packages
Opened by nixscripter (nixscripter) - Monday, 13 April 2015, 04:43 GMT
Last edited by Daniel Micay (thestinger) - Wednesday, 15 April 2015, 14:42 GMT
Opened by nixscripter (nixscripter) - Monday, 13 April 2015, 04:43 GMT
Last edited by Daniel Micay (thestinger) - Wednesday, 15 April 2015, 14:42 GMT
|
DetailsDescription:
The exact instance of the issue I have encountered is caused by a package that is not officially supported. However, I feel the need to open something because it is caused by an Arch-specific FHS decision, and I see it as just a matter of time before someone else hits this problem in the future. One of the features of grsecurity is to require that all kernel helper binaries be in a couple of directories such as /sbin. But on Arch Linux, /sbin is a symlink to /usr/bin. This means that anything installed in /sbin with intent to follow the rules will fail the grsecurity check, because it will determine (correctly) it is actually in /usr/bin, which is not in the list. In my case, this is particularly bad, because the binary which fails is part of the Tomoyo Mandatory Access Control System, which causes a kernel panic. I'm using linux-grsec because the Tomoyo extension was removed from the mainline some months back, but this package kept it in (thankfully). Since I'm trying to have a community supported kernel without having to recompile it myself for every upgrade, I'd really like this package to provide me with one. This is the only stumbling block I have left. A patch has already been written to address this issue. I would request that it be considered for addition to the package: https://github.com/fishilico/shared/raw/master/archlinux-seckernel/usr-bin-usermode-helper.patch For reference, the version of linux-grsec which displays this behavior is 3.19.3.201504021826-1. |
This task depends upon
Closed by Daniel Micay (thestinger)
Wednesday, 15 April 2015, 14:42 GMT
Reason for closing: Fixed
Additional comments about closing: 3.19.4.201504142300
Wednesday, 15 April 2015, 14:42 GMT
Reason for closing: Fixed
Additional comments about closing: 3.19.4.201504142300
+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
+ strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
+ strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
+ strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {