Attempting to log in to KDE 4.11.0 via KDM results in Plasma Desktop Shell crashing. Solution is to paxctl-ng -m /usr/bin/kdeinit4 paxctl-ng -m /usr/lib64/kde4/libexec/kscreenlocker_greet from alternate terminal. Thus affected packages are kde-base/kdelibs and kde-base/ksmserver. Using hardened profile and vanilla-sources patched with grsec (among other things). [ 1585.845934] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/kdeinit4[plasma-desktop:29391] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/kdeinit4[plasma-desktop:29389] uid/euid:1000/1000 gid/egid:1000/1000 [ 1585.845940] plasma-desktop[29391]: segfault at bbadbeef ip 000003213ad28546 sp 00000398b21cd130 error 6 in libQtScript.so.4.8.5[3213ac81000+27d000] [ 1585.845949] grsec: Segmentation fault occurred at 00000000bbadbeef in /usr/bin/kdeinit4[plasma-desktop:29391] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/kdeinit4[plasma-desktop:29389] uid/euid:1000/1000 gid/egid:1000/1000 [ 1585.845955] grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /usr/bin/kdeinit4[plasma-desktop:29391] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/kdeinit4[plasma-desktop:29389] uid/euid:1000/1000 gid/egid:1000/1000 [...] [ 1755.430121] grsec: denied RWX mmap of <anonymous mapping> by /usr/lib64/kde4/libexec/kscreenlocker_greet[kscreenlocker_g:29812] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/kdeinit4[ksmserver:29260] uid/euid:1000/1000 gid/egid:1000/1000 [...] /* the above repeats several times, possibly the result of switching back and forth between VT7 and VT1 */ $ emerge --info kdelibs ksmserver Portage 2.2.1 (hardened/linux/amd64, gcc-4.8.1, glibc-2.17, 3.10.10-ck1-grsec x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.10.10-ck1-grsec-x86_64-Intel-R-_Core-TM-_i5-2520M_CPU_@_2.50GHz-with-gentoo-2.2 KiB Mem: 16245824 total, 11259068 free KiB Swap: 0 total, 0 free Timestamp of tree: Sat, 31 Aug 2013 14:45:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 ccache version 3.1.9 [enabled] app-shells/bash: 4.2_p45 dev-java/java-config: 2.2.0 dev-lang/python: 2.7.5-r2, 3.3.2-r2 dev-util/ccache: 3.1.9 dev-util/cmake: 2.8.11.1 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.11.6, 1.12.6, 1.13.4, 1.14 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.8.1 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.10 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo x-portage qt ROKO__ ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA @FREE Intel-SDP" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=corei7-avx -O2 -pipe -flto=4 -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -ftree-vectorize" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/themes/oxygen-gtk/gtk-3.0" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=corei7-avx -O2 -pipe -flto=4 -floop-interchange -ftree-loop-distribution -floop-strip-mine -floop-block -ftree-vectorize" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=4.00 --keep-going" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://gentoo.arcticnetwork.ca/ http://gentoo.llarian.net/ ftp://gentoo.llarian.net/pub/gentoo http://gentoo.gossamerhost.com http://gentoo.mirrors.tera-byte.com/" LANG="en_US.UTF-8" LDFLAGS="-Wl,--as-needed,-O1 -flto=4" MAKEOPTS="-j4 -l4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /var/lib/layman/qt /var/lib/layman/ROKO__" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 avx berkdb bluetooth bzip2 cli colord consolekit cracklib crypt cups cxx dbus declarative dri dts exif ffmpeg flac gdbm gif google gstreamer hardened iconv iproute2 ipv6 jpeg jpeg2k justify kde kipi libass lightdm lzma matroska mmx modules mp3 mpeg mudflap multilib ncurses netlink networkmanager nls nptl offensive ogg openexr opengl openmp orc pam pax_kernel pcre phonon plasma png policykit pulseaudio qt3support qt4 readline semantic-desktop session sse sse2 sse3 sse4_1 sse4_2 ssl ssse3 startup-notification svg tcpd theora threads tiff truetype udev unicode urandom usb vaapi vorbis x264 xattr xcomposite xinerama xscreensaver xvid xvmc zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="canon directory fuji ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev synaptics wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" RUBY_TARGETS="ruby19 ruby18" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7 3.3" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= kde-base/kdelibs-4.11.0-r1 was built with the following: USE="acl alsa bzip2 handbook jpeg2k lzma mmx nls openexr opengl policykit sse sse2 ssl udev udisks upower -3dnow (-altivec) (-aqua) -debug -doc -fam -kerberos -spell -test -zeroconf" CFLAGS="-march=corei7-avx -O2 -pipe -fno-lto -ggdb" CXXFLAGS="-march=corei7-avx -O2 -pipe -fno-lto -ggdb" LDFLAGS="-Wl,--as-needed,-O1 -fno-lto" kde-base/ksmserver-4.11.0 was built with the following: USE="(-aqua) -debug" CFLAGS="-march=corei7-avx -O2 -pipe -fno-lto -ggdb" CXXFLAGS="-march=corei7-avx -O2 -pipe -fno-lto -ggdb" LDFLAGS="-Wl,--as-needed,-O1 -fno-lto"
As an update, "emerge -avuDN world" updated KDE from 4.11 to 4.11.1 today. Files kdeinit4 and kscreenlocker_greet were overwritten with new versions, with the only PAX flag "e". Subsequently, coming out of screensaver, the KDE desktop was partly frozen, in that the mouse moved, the keyboard worked (in VT1) and music was still playing from YouTube, but no window could be selected or Alt-Tabbed to, or in any way graphically interacted with. On restarting xdm (and kdm by extension), KWin and the Plasma Desktop shell crashed and gave their respective error windows. Examining the grsec logs revealed the same issue as before - denied RWX mmap etc etc. Once again, paxctl-ng -m on both files solved the issue.
(In reply to Michael Rowell from comment #1) > As an update, "emerge -avuDN world" updated KDE from 4.11 to 4.11.1 today. > Files kdeinit4 and kscreenlocker_greet were overwritten with new versions, > with the only PAX flag "e". > > Subsequently, coming out of screensaver, the KDE desktop was partly frozen, > in that the mouse moved, the keyboard worked (in VT1) and music was still > playing from YouTube, but no window could be selected or Alt-Tabbed to, or > in any way graphically interacted with. > > On restarting xdm (and kdm by extension), KWin and the Plasma Desktop shell > crashed and gave their respective error windows. Examining the grsec logs > revealed the same issue as before - denied RWX mmap etc etc. Once again, > paxctl-ng -m on both files solved the issue. The fix here is pretty easy. Here's a simple patch for kde-base/kdelibs which I'll just inline: --- kdelibs-4.13.3-r1.ebuild.orig 2014-08-17 17:10:51.551857096 -0400 +++ kdelibs-4.13.3-r1.ebuild 2014-08-17 18:14:23.943674387 -0400 @@ -8,7 +8,7 @@ DECLARATIVE_REQUIRED="always" OPENGL_REQUIRED="optional" KDE_HANDBOOK="optional" -inherit kde4-base fdo-mime multilib toolchain-funcs flag-o-matic +inherit kde4-base fdo-mime multilib toolchain-funcs flag-o-matic pax-utils EGIT_BRANCH="KDE/4.13" @@ -268,6 +268,9 @@ echo "COLON_SEPARATED=QT_PLUGIN_PATH" > "${T}/77kde" echo "QT_PLUGIN_PATH=${EPREFIX}/usr/$(get_libdir)/kde4/plugins" >> "${T}/77kde" doenvd "${T}/77kde" + + # Need to pax-mark kdeinit4 + pax-mark m "${ED}"/usr/bin/kdeinit4 } pkg_postinst() { But I'm getting reports that some people do not have this problem and that it may depend on the graphics card. Looking at this and bug #483242, it appears that you need the pax-marking on VIDEO_CARDS=intel or i965. But Zorry says he does not need it on radeon without all the "bling bling".
For completeness, here's the patch for ksmserver: --- ksmserver-4.11.11.ebuild.orig 2014-08-17 19:00:31.687541742 -0400 +++ ksmserver-4.11.11.ebuild 2014-08-17 19:35:50.304440207 -0400 @@ -6,7 +6,7 @@ DECLARATIVE_REQUIRED="always" KMNAME="kde-workspace" -inherit kde4-meta +inherit kde4-meta pax-utils DESCRIPTION="The reliable KDE session manager that talks the standard X11R6" KEYWORDS=" ~amd64 ~arm ~ppc ~ppc64 ~x86 ~amd64-linux ~x86-linux" @@ -34,3 +34,10 @@ " KMLOADLIBS="libkworkspace" + +src_install() { + kde4-meta_src_install + + # We need to pax mark kscreenlocker_greet, bug #483236 + pax-mark m ${ED}/usr/lib64/kde4/libexec/kscreenlocker_greet +}
I confirm that the patches solved the issue. Thanks, Anthony.
> > But I'm getting reports that some people do not have this problem and that > it may depend on the graphics card. Looking at this and bug #483242, it > appears that you need the pax-marking on VIDEO_CARDS=intel or i965. But > Zorry says he does not need it on radeon without all the "bling bling". This happens me with i965 and also with nouveau (Nvidia GF119M [Quadro NVS 4200M]).
Thanks Anthony, i changed "lib64" to $(get_libdir) and quoted the var ${ED}. kde-base/ksmserver done. kdelibs was already one time done and reverted (because hardended requested it), bug #473842. + + 19 Aug 2014; Johannes Huber <johu@gentoo.org> +ksmserver-4.11.11-r1.ebuild, + -ksmserver-4.11.11.ebuild: + pax-mark kscreenlocker_greet by Anthony Basile <blueness@gentoo.org>, bug + #483236. +
