while trying to follow along w/ the nacl sdk examples from google code, i realized that nothing was loading for me using google chrome on my gentoo box. i tried other sites that had nacl demos and none loaded. i even tried the nacl based ssh extension (https://chrome.google.com/webstore/detail/secure-shell/pnhechapfaindjhompbnflcldabbghjo) and that failed to load, too. i know that these used to work, but i can't install a previous version of google-chrome to verify. dmesg looking for potential grsec log info turns out some warnings for nice, rtprio and core limit hits (all nothing serious, except for the core limit, which i'm guessing is being hit when the nacl stuff fails). Reproducible: Always Steps to Reproduce: 1. amd64 gentoo using hardened-sources-3.13.6-r3 2. google-chrome-34.0.1847.116_p1 3. visit https://gonativeclient.appspot.com/demo 4. try loading a demo 5. try loading any (p)nacl based page Actual Results: (p)nacl doesn't work Expected Results: things work
output from command line [WARNING:flash/platform/pepper/pep_module.cpp(63)] SANDBOXED [196,2513540864:08:55:37.749613] SelLdrLauncherBase::RetrieveSockAddr: RecvMsg() returned -5 [196,2513540864:08:55:37.749705] SelLdrLauncherBase::SetupCommand: getting sel_ldr socket address failed [SRPC:HOST:196,2513540864:08:55:37.749747] NaClSrpcInvokeBySignature(channel=0x35abf6df400):missing signature [log:is:] [5446:5475:0411/085537:ERROR:nacl_process_host.cc(272)] NaCl process exited with status 9 (0x9) [196,2513540864:08:55:37.749800] scheduling to get crash log [196,2513540864:08:55:37.749895] should fire soon
Anything in the kernel log (dmseg)?
Oh sorry, you already mentioned looking for that. I will try to reproduce on my (non-hardened) workstation this weekend.
dmesg output is of this variety: [38339.714212] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:18471] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100 [38398.809718] grsec: denied resource overstep by requesting 8 for RLIMIT_RTPRIO against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:18856] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100 [38398.809728] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:18856] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100 [38445.447557] grsec: denied resource overstep by requesting 8 for RLIMIT_RTPRIO against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19157] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100 [38445.447568] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19157] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100 [38518.044200] grsec: denied resource overstep by requesting 8 for RLIMIT_RTPRIO against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19638] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100 [38518.044207] grsec: denied resource overstep by requesting 30 for RLIMIT_NICE against limit 0 for /opt/google/chrome/chrome[Chrome_ChildIOT:19638] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/chrome[chrome:5460] uid/euid:1000/1000 gid/egid:100/100
I'm having no problems on a non-hardened ~amd64 system. Reassigning.
Eh, maybe that's a bit premature... I really have no idea what the problem is here.
visit https://gonativeclient.appspot.com/demo then click on some demo. the demo fails to load.
(In reply to razamatan from comment #7) > visit https://gonativeclient.appspot.com/demo then click on some demo. the > demo fails to load. That works for me. The demo loads and functions perfectly. I suspect your problem has something to do with your hardened system, but I do not have enough information to know for sure. The only useful info we have so far is this: [5446:5475:0411/085537:ERROR:nacl_process_host.cc(272)] NaCl process exited with status 9 (0x9)
yeah.. i've been pouring over the chromium source looking for the exit code definitions but haven't found what 9 indicates.
got some more interesting log messages... [351166.882474] PAX: terminating task: /opt/google/chrome/nacl_helper(nacl_helper):31126, uid/euid: 1000/1000, PC: 000002957d489a80, SP: 000003db792ac9f8 [351166.882475] PAX: bytes at PC: c3 1e 57 fd ff ff ff ff 58 1e 57 fd ff ff ff ff 00 00 00 00 [351166.882482] PAX: bytes at SP-8: 000002957d489a80 000000551c3bd1bb 000002957d496c00 000002957d489a80 000002957d489a80 000000551c3bd20f 000002957d489980 000002957d496c00 000002957d489980 000000551c394d35 0000000000000001 [351166.882494] grsec: bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for /opt/google/chrome/nacl_helper[nacl_helper:31126] uid/euid:1000/1000 gid/egid:100/100, parent /opt/google/chrome/nacl_helper[nacl_helper:30657] uid/euid:1000/1000 gid/egid:100/100 i've set /opt/google/chrome/[chrome,nacl_helper,chrome-sandbox] to the following paxctl(-ng) settings but they seem to take no effect: /opt/google/chrome/chrome-sandbox: PT_PAX : -em-- XATTR_PAX : -em--
i've updated to the pax settings outlined in http://en.wikibooks.org/wiki/Grsecurity/Application-specific_Settings#Google_Chrome_15.0.874.106 and it still doesn't work. :|
Created attachment 374960 [details] grsec disabled kernel config so i recompiled my kernel (genkernel derived, 3.13.6-hardened-r3) w/o any grsec or pax enabled. there's no more grsec logs in my dmesg, but i'm still not getting any working nacl apps.
super odd. when trying to revert the pax settings to default, i ended up just re-installing google-chrome. turns out, after the reinstall, the demos work again. i'll try slowly enabling grsec options and see if it'll keep working... closing this bug and will open a new one if the issue arises again.