After upgrade from hardened-sources-3.7.0 (tried 3.7.5-r1 and 3.8.3) skype doesn't work anymore (endlessly trying to connect). Switching off all GrSec/PaX fix this issue. I'll try to bisect kernel options to find which one break skype.
please try on 3.8.x if possible, because even if we can determine the cause on 3.7, we'd only fix 3.8 (and 3.2 if it's affected as well).
I'm now on 3.8.3 with latest grsec (201303191956) and skype doesn't work.
Created attachment 342734 [details] working 3.7.8 config It works for me, what are your paxmarks?
Created attachment 342736 [details] .config 3.8.3 broken skype Here is my .config with broken skype.
(In reply to comment #3) > It works for me, what are your paxmarks? Default: # paxctl -v /opt/bin/skype PaX control v0.7 Copyright 2004,2005,2006,2007,2009,2010,2011,2012 PaX Team <pageexec@freemail.hu> - PaX flags: -----m-x-e-- [/opt/bin/skype] MPROTECT is disabled RANDEXEC is disabled EMUTRAMP is disabled I've tried paxctl -pemrxs, it won't change anything.
does skype even work with paxctl marks? i thought its self-checking mechanism would detect such a change as well. in any case, can you verify that mprotect is really off in /proc/pid/status? also try to reinstall skype and disable mprotect via the xattr flags instead (enable CONFIG_PAX_XATTR_PAX_FLAGS in the kernel config): setfattr -n user.pax.flags -v "me" /opt/bin/skype (or wherever the main binary is).
(In reply to comment #6) > does skype even work with paxctl marks? i thought its self-checking > mechanism would detect such a change as well. in any case, can you verify This happens to work in this way some time ago, but many months this isn't the case anymore - skype works ok with paxctl (it I remember correctly it just needs paxctl -C, not -c). > that mprotect is really off in /proc/pid/status? also try to reinstall skype > and disable mprotect via the xattr flags instead (enable > CONFIG_PAX_XATTR_PAX_FLAGS in the kernel config): setfattr -n user.pax.flags > -v "me" /opt/bin/skype (or wherever the main binary is). It looks like switching off PaX in kernel won't fix this issue, but switching off part of GrSecurity fixed it. I'm continue bisect kernel options.
I've found option which break skype, and you won't believe which one is it!! It's CONFIG_GRKERNSEC_PROC_USER! WTF?!?!?! Matthew's config works because he use # CONFIG_GRKERNSEC_PROC_USER is not set CONFIG_GRKERNSEC_PROC_USERGROUP=y CONFIG_GRKERNSEC_PROC_GID=1000 and I suppose he's user account have GID=1000 so skype have access to all user's processes too. First question why the hell skype wanna see other user's processes at all? Second question why CONFIG_GRKERNSEC_PROC_USER won't break skype in 3.7.0?
remove all pax flags (I forced it to install without the pax_kernel use flag). Then 'paxctl-ng -m /opt/bin/skype' that sucker (paxctl-ng is in the sys-apps/elfix package).
(In reply to comment #9) > remove all pax flags (I forced it to install without the pax_kernel use > flag). Then 'paxctl-ng -m /opt/bin/skype' that sucker (paxctl-ng is in the > sys-apps/elfix package). This issue have nothing with PaX or where paxmarking is done (file/xattr). Just enable CONFIG_GRKERNSEC_PROC_USER on your system and you'll see it.
can you try to strace -f skype to see what it's trying to do in /proc? maybe if paxctl works now they also removed other anti-debugging features and strace will help.
(In reply to comment #11) > can you try to strace -f skype to see what it's trying to do in /proc? maybe > if paxctl works now they also removed other anti-debugging features and > strace will help. At a glance main difference between strace of skype with/without GRKERNSEC_PROC_USER is failed access to /proc/net/route. But isn't /proc/net/route was hidden in 3.7.0 (where skype works)?
(In reply to comment #12) > But isn't /proc/net/route was hidden in 3.7.0 (where skype works)? Hmm. I've just boot 3.7.0 and skype doesn't work here too. Probably previous version where skype works was 3.5.4-r1, not 3.7.0 (I didn't update system for about 2-3 months and didn't remember which kernel version was actually booted at that time).
That's sad, I can't find configuration when skype works with GRKERNSEC_PROC_USER. I've tried to boot 3.5.4-hardened-r1, degrade skype to 4.0.0.8-r1, degrade emul-linux-x86-* to 20121202 - nothing helps. But few days ago, before I've updated my system I had working skype with GRKERNSEC_PROC_USER.
what's in dmesg?
(In reply to comment #15) > what's in dmesg? There are some alerts, but they are same both when skype able to read /proc/net/route and works ok and when it can't read that file and doesn't work. So, I don't think these alerts are important. 2013-03-22_02:19:04.91758 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/bin/skype[skype:3246] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:04.91760 kern.alert: grsec: denied resource overstep by requesting 39 for RLIMIT_NICE against limit 0 for /opt/bin/skype[skype:3248] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:08.26356 kern.alert: grsec: denied resource overstep by requesting 15 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3250] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:08.26358 kern.alert: grsec: denied resource overstep by requesting 15 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3250] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:08.84557 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.07259 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.27558 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.27560 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.50258 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.50259 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.70557 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.70559 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.70560 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.70560 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.93557 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.93559 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.93560 kern.alert: grsec: denied resource overstep by requesting 30 for RLIMIT_RTPRIO against limit 0 for /opt/bin/skype[skype:3495] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:2456] uid/euid:1000/1000 gid/egid:1000/1000 2013-03-22_02:19:09.93561 kern.alert: grsec: more alerts, logging disabled for 10 seconds
I believe this bug can be closed as it's for an older version. Additionally, Skype versions before 4.3 can no longer connect. (I received the email about this in Dutch, please let me know if you want a copy)
