Bug 455938

Summary:	=gnome-base/gdm-3.6* + systemd + hardened kernel : Fails to start when access to /proc is restricted.
Product:	Gentoo Linux	Reporter:	Alexander Tsoy <alexander>
Component:	[OLD] GNOME	Assignee:	Gentoo Linux Gnome Desktop Team <gnome>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	hardened, pva, tomwij, zazdxscf+bugs.gentoo.org
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	389719

Description Alexander Tsoy 2013-02-06 23:51:07 UTC

It seems gdm and polkitd want to read some files in /proc. So GDM won't start with hardened-sources configured with GRKERNSEC_PROC=y. When I add "polkitd" and "gdm" users into the group specified by the GRKERNSEC_PROC_GID option, gdm starts without problems.

There is a similar issue in archlinux's bug tracker, but caused by the "hidepid" mount option for procfs (this option first appeared in linux-3.3):
https://bugs.archlinux.org/task/31814

Quote:
"Well after hours of debugging and just trying random things I could think of, I straced gdm... And wading through the megabytes of noise was worthwhile, I found this critical line:
[pid 2063] open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

I'm mounting /proc with options hidepid=2 -- which hides other users' processes. It never caused me a problem so far. But apparently Gnome 3.6 relies on poking around in the details of the init process. It would be sad to lose this security feature on all Gnome desktops. I'll try to bring this up with upstream."


So I think that all of this things should be documented. I spent a lot of time to sort out the problem. :)

Reproducible: Always

Comment 1 Alexander Tsoy 2013-02-07 00:04:44 UTC

[ebuild   R   ~] gnome-base/gdm-3.6.2  USE="fallback gnome-shell introspection ipv6 systemd tcpd -accessibility -audit -consolekit -debug -fprint -ldap -plymouth (-selinux) -smartcard {-test} -xinerama" 0 kB
[ebuild   R    ] sys-auth/polkit-0.110  USE="examples gtk introspection nls pam systemd -kde (-selinux)" 0 kB

Comment 2 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-02-07 01:26:11 UTC

@reporter: Please do not CC maintainers manually as that creates extra mails and work on our part.

@gnome herd: Please check whether this really blocks "gnome3-upgrade-guide".

Comment 3 Alexander Tsoy 2013-02-07 01:49:37 UTC

Forget to mention: I'm using systemd. Maybe there is no such issue with openrc + consolekit.

@tomwij: this issue is not only specific to hardened kernel. In comment 0 I also wrote about "hidepid" mount option. So changing summary was not neccesary imo.

Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev

2013-02-07 02:11:03 UTC

(In reply to comment #3)
> Forget to mention: I'm using systemd. Maybe there is no such issue with
> openrc + consolekit.

I actually had a very similar issue when I switched to systemd some time ago, I solved this by changing permissions on that directory; note that I do not run a hardened kernel. So, what you say might be true.

Reverted the summary change.

Comment 5 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-07-30 19:07:55 UTC

Is adding gdm to the CONFIG_GRKERNSEC_PROC_GID group really required, or is adding polkitd there enough?

(Basically, I am asking whether this bug is identical to #472098, or if there is something additional here, specific only to gdm but not other polkit-based tools.)

Comment 6 Alexander Tsoy 2013-07-30 20:11:49 UTC

(In reply to Alexandre Rostovtsev from comment #5)

Just tested with gnome-base/gdm-3.8.3.1. Adding gdm to the CONFIG_GRKERNSEC_PROC_GID group is not required.

May be this was really required with gdm-3.6. Now I can't check this. :)

Comment 7 Alexandre Rostovtsev (RETIRED) gentoo-dev

2013-07-30 20:21:44 UTC

Thanks.

Marking this as duplicate of #472098, since the core problem here is with polkit, not with gdm.

*** This bug has been marked as a duplicate of bug 472098 ***