Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 455938 - =gnome-base/gdm-3.6* + systemd + hardened kernel : Fails to start when access to /proc is restricted.
Summary: =gnome-base/gdm-3.6* + systemd + hardened kernel : Fails to start when access...
Status: RESOLVED DUPLICATE of bug 472098
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] GNOME (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
Depends on:
Blocks: gnome3-upgrade-guide
  Show dependency tree
Reported: 2013-02-06 23:51 UTC by Alexander Tsoy
Modified: 2015-09-02 14:38 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Tsoy 2013-02-06 23:51:07 UTC
It seems gdm and polkitd want to read some files in /proc. So GDM won't start with hardened-sources configured with GRKERNSEC_PROC=y. When I add "polkitd" and "gdm" users into the group specified by the GRKERNSEC_PROC_GID option, gdm starts without problems.

There is a similar issue in archlinux's bug tracker, but caused by the "hidepid" mount option for procfs (this option first appeared in linux-3.3):

"Well after hours of debugging and just trying random things I could think of, I straced gdm... And wading through the megabytes of noise was worthwhile, I found this critical line:
[pid 2063] open("/proc/1/cgroup", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

I'm mounting /proc with options hidepid=2 -- which hides other users' processes. It never caused me a problem so far. But apparently Gnome 3.6 relies on poking around in the details of the init process. It would be sad to lose this security feature on all Gnome desktops. I'll try to bring this up with upstream."

So I think that all of this things should be documented. I spent a lot of time to sort out the problem. :)

Reproducible: Always
Comment 1 Alexander Tsoy 2013-02-07 00:04:44 UTC
[ebuild   R   ~] gnome-base/gdm-3.6.2  USE="fallback gnome-shell introspection ipv6 systemd tcpd -accessibility -audit -consolekit -debug -fprint -ldap -plymouth (-selinux) -smartcard {-test} -xinerama" 0 kB
[ebuild   R    ] sys-auth/polkit-0.110  USE="examples gtk introspection nls pam systemd -kde (-selinux)" 0 kB
Comment 2 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-02-07 01:26:11 UTC
@reporter: Please do not CC maintainers manually as that creates extra mails and work on our part.

@gnome herd: Please check whether this really blocks "gnome3-upgrade-guide".
Comment 3 Alexander Tsoy 2013-02-07 01:49:37 UTC
Forget to mention: I'm using systemd. Maybe there is no such issue with openrc + consolekit.

@tomwij: this issue is not only specific to hardened kernel. In comment 0 I also wrote about "hidepid" mount option. So changing summary was not neccesary imo.
Comment 4 Tom Wijsman (TomWij) (RETIRED) gentoo-dev 2013-02-07 02:11:03 UTC
(In reply to comment #3)
> Forget to mention: I'm using systemd. Maybe there is no such issue with
> openrc + consolekit.

I actually had a very similar issue when I switched to systemd some time ago, I solved this by changing permissions on that directory; note that I do not run a hardened kernel. So, what you say might be true.

Reverted the summary change.
Comment 5 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-30 19:07:55 UTC
Is adding gdm to the CONFIG_GRKERNSEC_PROC_GID group really required, or is adding polkitd there enough?

(Basically, I am asking whether this bug is identical to #472098, or if there is something additional here, specific only to gdm but not other polkit-based tools.)
Comment 6 Alexander Tsoy 2013-07-30 20:11:49 UTC
(In reply to Alexandre Rostovtsev from comment #5)

Just tested with gnome-base/gdm- Adding gdm to the CONFIG_GRKERNSEC_PROC_GID group is not required.

May be this was really required with gdm-3.6. Now I can't check this. :)
Comment 7 Alexandre Rostovtsev (RETIRED) gentoo-dev 2013-07-30 20:21:44 UTC

Marking this as duplicate of #472098, since the core problem here is with polkit, not with gdm.

*** This bug has been marked as a duplicate of bug 472098 ***