So more progess there has been.
On 160427-13:05-0600, Good Guy wrote:
> cd cinelerra5/cinelerra-5.1
> echo "EXTRA_LIBS += -lva" >> global_config
> echo "EXTRA_LIBS += -Wl,-z,noexecstack" >> global_config
> sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
> sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
> ./configure shared
> make >& log
>
I'm also writing this for general *nix users when this is hopefully
posted as you gave me permission to. I'll give the complete output from
the terminal. Note that there are two issuing of /opt/cin/cinelerra, the
first will be seen, later, in the log that I will alos give, as "denied
execution of /opt/cin/cinelerra" and the second as "exec of
/opt/cin/cinelerra.
miro@gcn ~ $ /opt/cin/cinelerra
bash: /opt/cin/cinelerra: Permission denied
miro@gcn ~ $
miro@gcn ~ $ /opt/cin/cinelerra
sh: pactl: command not found
Cinelerra 5.1 git://git.cinelerra-cv.org/goodguy/cinelerra.git (c)2015:
Adam Williams
Cinelerra is free software, covered by the GNU General Public License,
and you are welcome to change it and/or distribute copies of it under
certain conditions. There is absolutely no warranty for Cinelerra.
MESA-LOADER: could not create udev device for fd 5 MESA-LOADER: could
not create udev device for fd 6 MESA-LOADER: could not create udev
device for fd 6 init plugin index: /opt/cin/plugins int
PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/blending/chromakeyhsv.plugin =
/opt/cin/plugins/blending/chromakeyhsv.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blond.plugin =
/opt/cin/plugins/themes/theme_blond.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blond_cv.plugin =
/opt/cin/plugins/themes/theme_blond_cv.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blue.plugin =
/opt/cin/plugins/themes/theme_blue.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blue_dot.plugin =
/opt/cin/plugins/themes/theme_blue_dot.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_bright.plugin =
/opt/cin/plugins/themes/theme_bright.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_hulk.plugin =
/opt/cin/plugins/themes/theme_hulk.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_pinklady.plugin =
/opt/cin/plugins/themes/theme_pinklady.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_suv.plugin =
/opt/cin/plugins/themes/theme_suv.plugin: cannot change memory
protections: Permission denied
int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_unflat.plugin =
/opt/cin/plugins/themes/theme_unflat.plugin: cannot change memory
protections: Permission denied
init ladspa index: /opt/cin/ladspa
MWindow::init_theme: prefered theme S.U.V. not found.
MWindow::init_theme: theme_plugin not found.
unjoined tids / owner 1
000003297c18b700 / 000003298d7eb740 12BC_Clipboard
miro@gcn ~ $
Just to tell that Cinelerra showed the little opening window in the
middle of the screen, but did not freeze like in the last attempt.
Instead it exited and returned the command prompt. The previous attempt
can be read at:
http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004711.html
And it shows the Cinelerra girl holding huge 5.1 notice
The same happened. Only, it exited gracefully (it that's what giving the
command prompt back is).
Now the logs:
Freshly installed todays goodguy's git repo Cinelerra 5.1. Chowning it
to user and group miro:miro.
Apr 27 23:22:03 gcn kernel: [143518.989075] grsec: (admin:S:/) exec of
/bin/chown (chown -R miro:miro /opt/cin ) by /bin/chown[bash:26292]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
gid/egid:0/0
RBAC enabled, just to see what will happen.
Apr 27 23:22:14 gcn kernel: [143530.000378] grsec: (admin:S:/) exec of
/bin/grep (grep --colour=auto RBAC /proc/3278/status ) by
/bin/grep[bash:26294] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
Apr 27 23:22:25 gcn kernel: [143540.657532] grsec: (miro:U:/bin/bash)
denied execution of /opt/cin/cinelerra by /bin/bash[bash:26297]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000
Checking it TPE was enabled. Can't show, but I remember it was not.
Neither tpe nor tpe_restrict_all.
Apr 27 23:22:25 gcn kernel: [143540.657675] grsec: (miro:U:/bin/bash)
denied open of /opt/cin/cinelerra for reading by /bin/bash[bash:26297]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000
Apr 27 23:22:51 gcn kernel: [143566.483957] grsec: (admin:S:/) exec of
/bin/cat (cat /proc/sys/kernel/grsecurity/tpe_restrict_all ) by
/bin/cat[bash:26300] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
Apr 27 23:22:54 gcn kernel: [143569.600844] grsec: (admin:S:/) exec of
/bin/cat (cat /proc/sys/kernel/grsecurity/tpe ) by /bin/cat[bash:26303]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
gid/egid:0/0
Disabling RBAC:
Apr 27 23:23:13 gcn kernel: [143588.739630] grsec: (admin:S:/) exec of
/sbin/gradm (gradm -D ) by /sbin/gradm[bash:26304] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
...[36 lines cut here]...
Apr 27 23:23:41 gcn kernel: [143616.978863] grsec: exec of
/opt/cin/cinelerra (/opt/cin/cinelerra ) by
/opt/cin/cinelerra[bash:26350] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:3549] uid/euid:1000/1000 gid/egid:1000/1000
I hope this pulseaudio command does no harm. Only pure alsa here.
Apr 27 23:23:42 gcn kernel: [143617.432067] grsec: exec of /bin/bash (sh
-c pactl list sinks ) by /bin/bash[cinelerra:26351] uid/euid:1000/1000
gid/egid:1000/1000, parent /opt/cin/cinelerra[cinelerra:26350]
uid/euid:1000/1000 gid/egid:1000/1000
The crucial PT_GNU_STACK, and RWX mprotect lines:
Apr 27 23:23:44 gcn kernel: [143619.882015] grsec: denied marking stack
executable as requested by PT_GNU_STACK marking in
/opt/cin/plugins/blending/chromakeyhsv.plugin by
/opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
gid/egid:1000/1000
Apr 27 23:23:44 gcn kernel: [143619.882045] grsec: denied RWX mprotect
of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000
Apr 27 23:23:44 gcn kernel: [143620.045971] grsec: denied marking stack
executable as requested by PT_GNU_STACK marking in
/opt/cin/plugins/themes/theme_blond.plugin by
/opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
gid/egid:1000/1000
Apr 27 23:23:44 gcn kernel: [143620.046009] grsec: denied RWX mprotect
of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000
Apr 27 23:23:44 gcn kernel: [143620.046087] grsec: more alerts, logging
disabled for 10 seconds
And here is where a hardened dev could help us... I've been studying
these days (but only for small part of the time, this testing takes a
lot of energy and time), on the above PT_GNU_STACK and RWX mprotect
issue, and I'll try and post next to grsecurity Forums:
Building Cinelerra and stack exec and mprotect issues
https://forums.grsecurity.net/viewtopic.php?f=3&t=4453&sid=6acf30eee27f95dd5bc31d4d282cae77
as I have collected some links that could help us here...
--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
(text/plain)