With hardened-sources-3.12.6-r4 any attempt to play sound over alsa (mplayer2, skype, ...) fails with the error that an IPC semaphores cannot be created. Obviously, it is grsec/pax-related since the log says: grsec: denied write of overly-permissive IPC object with creator uid 0 by ... Even running as root and given all permissions to the program with paxctl-ng does not change the situation; also pax softmode does not help. hardened-sources-3.12.6-r2 had no such problem. (hardened-sources-3.12.6-r3 did not compile for me).
The output of strace -f -o strace-f-o-qpdfview.txt qpdfview with CONFIG_GRKERNSEC_HARDEN_IPC=y ends with: 22021 shmget(IPC_PRIVATE, 4590736, IPC_CREAT|0700) = 282296347 22021 shmat(282296347, 0, 0) = -1 EACCES (Permission denied) 22021 write(2, "QNativeImage: Unable to attach t"..., 58) = 58 22021 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xfffffffffffffff7} --- 22021 +++ killed by SIGSEGV +++ Thanks to amade for suggesting changing CONFIG_GRKERNSEC_HARDEN_IPC=n in the linux-3.12.6-hardened-r4 kernel configuration, then rebooting, then qpdfview (and okular) work fine.
Does this mean that CONFIG_GRKERNSEC_HARDEN_IPC=y did not work at all in <hardened-sources-3.12.6-r4 or does this mean that CONFIG_GRKERNSEC_HARDEN_IPC=y got an additional enforcement in hardened-sources-3.12.6-r4? In the latter case, it would perhaps make sense to give a separate kernel option to this additional enforcement so that people needing audio or poppler need not completely switch off that feature but can still use the "less enforced" version of CONFIG_GRKERNSEC_HARDEN_IPC=y from <hardened-sources-3.12.6-r4.
Just for the records: Since hardened-sources-3.12.8 (I have not retried with earlier versions) it is for many things (avidemux3_qt, mplayer2, ...) not sufficient to unset harden_ipc in the systctl kernel interface - it is really necessary to compile the kernel without CONFIG_GRKERNSEC_HARDEN_IPC to make them work.
Is this still an issue with the latest hardened-sources?
I did just a brief test on x86 (hardened-sources-3.16.2-r1 with HARDENED_IPC): mplayer (w/ alsa) worked fine. On amd64 there is still the same issue (with same settings): No sound with mplayer, and the log message of comment #1 appears
The feature CONFIG_GRKERNSEC_HARDEN_IPC had a bug in those kernel versions up to grsecurity-3.0-3.13.5-201403022155.patch where it would deny the shmat() if the harden_ipc sysctl was set to 0. It got the logic wrong in this case (returned "deny" instead of "allow" in gr_ipc_permitted()). This was fixed in the afore mentioned patch.
On amd64/no-multilib with hardened-sources-3.17.1 and CONFIG_GRKERNSEC_HARDEN_IPC=y and qpdfview-0.4.11.1-r1 # strace -f -o strace-f-o-qpdfview.txt qpdfview I don't get an error, it only says iconTheme "nameofmyicontheme" and the program starts. mplayer works as well (alsa-lib-1.0.28), i do have sound
Okay pinging upstream pax
forgot to close this.
