Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 566114

Summary: CONFIG_GRKERNSEC_PROC (4.1.7-hardened-r1) prevents that polkitd (polkit-0.113) work porperly
Product: Gentoo Linux Reporter: Gerold Schellstede <gentoo>
Component: HardenedAssignee: The Gentoo Linux Hardened Team <hardened>
Status: RESOLVED INVALID    
Severity: normal CC: alexanderyt
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=472098
Whiteboard:
Package list:
Runtime testing required: ---

Description Gerold Schellstede 2015-11-18 12:44:06 UTC 
Hello,

I use a XFCE desktop with hardened kernel. Activating CONFIG_GRKERNSEC_PROC prevents here that xfce4-power-manager can suspend, while Xfce4 itself can suspend via the "logout button". (Everything else works perfectly)

I found a bug which I think is related to my problem: https://bugs.gentoo.org/show_bug.cgi?id=472098

Obviously polkit has not enough permissions in /proc to look if suspend is possible. 

First my config was CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y --> Doesn't work. Xfce4-power-manager says, that suspend is not allowed.

Second try was CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USERGROUP=y (group 12) CONFIG_GRKERNSEC_PROC_ADD=y --> Put my user into group 12 --> Doesn't work. Xfce4-power-manager says, that suspend is not allowed.

Third try was nearly the same as the second try but with "polkitd" in group 12 --> works perfectly!

This is the same workaround as mentioned in bug 472098 (comment 20). Related question: Is this a bug or a feature?

Best regards

Reproducible: Always
Comment 1 Anthony Basile gentoo-dev 2015-12-17 15:08:15 UTC 
(In reply to Gerold Schellstede from comment #0)

> 
> Third try was nearly the same as the second try but with "polkitd" in group
> 12 --> works perfectly!

I thought I set it to group 10, but okay.  Check CONFIG_GRKERNSEC_PROC_GID.


> 
> This is the same workaround as mentioned in bug 472098 (comment 20). Related
> question: Is this a bug or a feature?
> 

Yes, this is a known issue.  I'm not sure where we can document this.  If you can suggest something, I could write something.
Comment 2 Gerold Schellstede 2015-12-17 17:41:23 UTC 
(In reply to Anthony Basile from comment #1)
> (In reply to Gerold Schellstede from comment #0)
> 
> > 
> > Third try was nearly the same as the second try but with "polkitd" in group
> > 12 --> works perfectly!
> 
> I thought I set it to group 10, but okay.  Check CONFIG_GRKERNSEC_PROC_GID.
> 
> 
I does not see the point, because the trusted group can be freely chosen during kernel configuration. I set it to 12, but every other unused value is also possible. Putting polkitd into this group is doing the trick. 

> > 
> > This is the same workaround as mentioned in bug 472098 (comment 20). Related
> > question: Is this a bug or a feature?
> > 
> 
> Yes, this is a known issue.  I'm not sure where we can document this.  If
> you can suggest something, I could write something.

We can document it at as bug of polkit together with GrSecurity. I think it would be useful to file a new bug which states the bug together with the workaround. Then one can mark the systemd-related bug and my xfce-related bug as duplicates. Then the link of the bugtracker-entry should be mentioned at "https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart --> File System Protections"

However, I am not sure if it is really a bug. Polkitd needs more rights than CONFIG_GRKERNSEC_PROC gives it, namely looking into /proc. But this is what "CONFIG_GRKERNSEC_PROC" is made for. Therefore the trusted group was introduced to allow its members to look still into /proc. Altogether the real problem seems to me that nobody knows that one has to introduce polkitd into the trusted group. If you agree with me I would suggest to close both bugs (the systemd-related and my xfce-related) and to make a short write up at "https://wiki.gentoo.org/wiki/Hardened/Grsecurity2_Quickstart --> File System Protections" to make clear that one has to introduce polkitd into the trusted group. Another approach could be that during the emerge of polkit portage looks into the kernel-config, and shows a failure if CONFIG_GRKERNSEC_PROC is set without a trusted group or introduces polkitd into the trusted group if its existing.