Just a little sleeplessness here.

On 160427-17:15-0600, Good Guy wrote:
> Sorry, my name is root, I have been root for decades, I like it when
> the operations are allowed to succeed, and not deliberately failed.
> The entire purpose of many "insecurity" features are to invoke nothing
> but failure.  I disagree.
> 
> The security policy I like is to stop the bad guys at the door.  If you
> have bad guys roaming around your house, it is already too late.
I'm glad if you can do it. I'm not such expert by any means.

> I want any operation which authenticates or verifies to be correct, and
> in this day and age of crystallographic protocols and validation it is
> completely possible to do a good job.  These hacks are a sign of failure
> to detect and stop bad guys before they do damage.
I'm not sure I understand what you are referring to here.

Do you mean you did not install grsec-hardened?
> 
> Frequently, the worst bad guys used to be good guys (pun).  The real
> problem is to make sure the development environment is desirable
> and secure, so that the effort is cohesive.
> 
> Anyway... I have completed the backup, installed the stage3 system,
> and have 80% of the world built.
Glad to hear that.
> Still have kernel and tweaks to do, but should have a system soon.
> Gentoo is a "difficult" system to have to install from scratch.
> Seems unnecessarily abstruse.
First impressions only. 

But did you read what I wrote to you below?

(And I'll fix a typo or two now, and added a little note more closer to
the bottom, but not all the way down to it.)
> 
> 
> 
> On Wed, Apr 27, 2016 at 3:54 PM, Miroslav Rovis <
> miro.rovis@croatiafidelis.hr> wrote:
> 
> > So more progess there has been.
> >
> > On 160427-13:05-0600, Good Guy wrote:
> > > cd cinelerra5/cinelerra-5.1
> > > echo "EXTRA_LIBS += -lva" >> global_config
> > > echo "EXTRA_LIBS += -Wl,-z,noexecstack" >> global_config
> > > sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
> > > sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
> > > ./configure shared
> > > make >& log
> > >
> >
> > I'm also writing this for general *nix users when this is hopefully
> > posted as you gave me permission to. I'll give the complete output from
> > the terminal. Note that there are two issuing of /opt/cin/cinelerra, the
> > first will be seen, later, in the log that I will alos give, as "denied
> > execution of /opt/cin/cinelerra" and the second as "exec of
> > /opt/cin/cinelerra.
> >
> > miro@gcn ~ $ /opt/cin/cinelerra
> > bash: /opt/cin/cinelerra: Permission denied
> > miro@gcn ~ $
> > miro@gcn ~ $ /opt/cin/cinelerra
> > sh: pactl: command not found
> >
> > Cinelerra 5.1 git://git.cinelerra-cv.org/goodguy/cinelerra.git (c)2015:
> > Adam Williams
> >
> > Cinelerra is free software, covered by the GNU General Public License,
> >
> > and you are welcome to change it and/or distribute copies of it under
> >
> > certain conditions. There is absolutely no warranty for Cinelerra.
> >
> >
> > MESA-LOADER: could not create udev device for fd 5 MESA-LOADER: could
> > not create udev device for fd 6 MESA-LOADER: could not create udev
> > device for fd 6 init plugin index: /opt/cin/plugins int
> > PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/blending/chromakeyhsv.plugin =
> > /opt/cin/plugins/blending/chromakeyhsv.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_blond.plugin =
> > /opt/cin/plugins/themes/theme_blond.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_blond_cv.plugin =
> > /opt/cin/plugins/themes/theme_blond_cv.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_blue.plugin =
> > /opt/cin/plugins/themes/theme_blue.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_blue_dot.plugin =
> > /opt/cin/plugins/themes/theme_blue_dot.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_bright.plugin =
> > /opt/cin/plugins/themes/theme_bright.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_hulk.plugin =
> > /opt/cin/plugins/themes/theme_hulk.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_pinklady.plugin =
> > /opt/cin/plugins/themes/theme_pinklady.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_suv.plugin =
> > /opt/cin/plugins/themes/theme_suv.plugin: cannot change memory
> > protections: Permission denied
> >
> > int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):
> >
> > PluginServer::open_plugin: load_obj
> > /opt/cin/plugins/themes/theme_unflat.plugin =
> > /opt/cin/plugins/themes/theme_unflat.plugin: cannot change memory
> > protections: Permission denied
> >
> > init ladspa index: /opt/cin/ladspa
> > MWindow::init_theme: prefered theme S.U.V. not found.
> > MWindow::init_theme: theme_plugin not found.
> > unjoined tids / owner 1
> >   000003297c18b700 / 000003298d7eb740 12BC_Clipboard
> > miro@gcn ~ $
> >
> > Just to tell that Cinelerra showed the little opening window in the
> > middle of the screen, but did not freeze like in the last attempt.
> > Instead it exited and returned the command prompt. The previous attempt
> > can be read at:
> >
> > http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004711.html
> > And it shows the Cinelerra girl holding huge 5.1 notice
> >

was "it that's what"

> > The same happened. Only, it exited gracefully (if that's what's
> > giving the command prompt back is).
> >
> > Now the logs:
> >
> > Freshly installed todays goodguy's git repo Cinelerra 5.1. Chowning it
> > to user and group miro:miro.
> >
> > Apr 27 23:22:03 gcn kernel: [143518.989075] grsec: (admin:S:/) exec of
> > /bin/chown (chown -R miro:miro /opt/cin ) by /bin/chown[bash:26292]
> > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> > gid/egid:0/0
> >
> > RBAC enabled, just to see what will happen.
> >
> > Apr 27 23:22:14 gcn kernel: [143530.000378] grsec: (admin:S:/) exec of
> > /bin/grep (grep --colour=auto RBAC /proc/3278/status ) by
> > /bin/grep[bash:26294] uid/euid:0/0 gid/egid:0/0, parent
> > /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> >
> > Apr 27 23:22:25 gcn kernel: [143540.657532] grsec: (miro:U:/bin/bash)
> > denied execution of /opt/cin/cinelerra by /bin/bash[bash:26297]
> > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > uid/euid:1000/1000 gid/egid:1000/1000
> >
> >
> > Checking it TPE was enabled. Can't show, but I remember it was not.
> > Neither tpe nor tpe_restrict_all.
> >
> > Apr 27 23:22:25 gcn kernel: [143540.657675] grsec: (miro:U:/bin/bash)
> > denied open of /opt/cin/cinelerra for reading by /bin/bash[bash:26297]
> > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > uid/euid:1000/1000 gid/egid:1000/1000
> >
> > Apr 27 23:22:51 gcn kernel: [143566.483957] grsec: (admin:S:/) exec of
> > /bin/cat (cat /proc/sys/kernel/grsecurity/tpe_restrict_all ) by
> > /bin/cat[bash:26300] uid/euid:0/0 gid/egid:0/0, parent
> > /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> >
> > Apr 27 23:22:54 gcn kernel: [143569.600844] grsec: (admin:S:/) exec of
> > /bin/cat (cat /proc/sys/kernel/grsecurity/tpe ) by /bin/cat[bash:26303]
> > uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
> > gid/egid:0/0
> >
> >
> > Disabling RBAC:
> >
> > Apr 27 23:23:13 gcn kernel: [143588.739630] grsec: (admin:S:/) exec of
> > /sbin/gradm (gradm -D ) by /sbin/gradm[bash:26304] uid/euid:0/0
> > gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0
> >
> > ...[36 lines cut here]...
> >
> > Apr 27 23:23:41 gcn kernel: [143616.978863] grsec: exec of
> > /opt/cin/cinelerra (/opt/cin/cinelerra ) by
> > /opt/cin/cinelerra[bash:26350] uid/euid:1000/1000 gid/egid:1000/1000,
> > parent /bin/bash[bash:3549] uid/euid:1000/1000 gid/egid:1000/1000
> >
> > I hope this pulseaudio command does no harm. Only pure alsa here.
> >
> > Apr 27 23:23:42 gcn kernel: [143617.432067] grsec: exec of /bin/bash (sh
> > -c pactl list sinks ) by /bin/bash[cinelerra:26351] uid/euid:1000/1000
> > gid/egid:1000/1000, parent /opt/cin/cinelerra[cinelerra:26350]
> > uid/euid:1000/1000 gid/egid:1000/1000
> >
> > The crucial PT_GNU_STACK, and RWX mprotect lines:
> >

These typical grsec-hardened entries (starting with "grsec: denied" can
only be gotten with a grsecurity-hardened kernel based systems.

> > Apr 27 23:23:44 gcn kernel: [143619.882015] grsec: denied marking stack
> > executable as requested by PT_GNU_STACK marking in
> > /opt/cin/plugins/blending/chromakeyhsv.plugin by
> > /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> > gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> > gid/egid:1000/1000
> >
> > Apr 27 23:23:44 gcn kernel: [143619.882045] grsec: denied RWX mprotect
> > of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > uid/euid:1000/1000 gid/egid:1000/1000
> >
> > Apr 27 23:23:44 gcn kernel: [143620.045971] grsec: denied marking stack
> > executable as requested by PT_GNU_STACK marking in
> > /opt/cin/plugins/themes/theme_blond.plugin by
> > /opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
> > gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
> > gid/egid:1000/1000
> >
> > Apr 27 23:23:44 gcn kernel: [143620.046009] grsec: denied RWX mprotect
> > of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
> > uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
> > uid/euid:1000/1000 gid/egid:1000/1000
> >
> > Apr 27 23:23:44 gcn kernel: [143620.046087] grsec: more alerts, logging
> > disabled for 10 seconds
> >
> >
> > And here is where a hardened dev could help us... I've been studying
> > these days (but only for small part of the time, this testing takes a
> > lot of energy and time), on the above PT_GNU_STACK and RWX mprotect
> > issue, and I'll try and post next to grsecurity Forums:
> >
> > Building Cinelerra and stack exec and mprotect issues
> >
> > https://forums.grsecurity.net/viewtopic.php?f=3&t=4453&sid=6acf30eee27f95dd5bc31d4d282cae77
> >
> > as I have collected some links that could help us here...
> >
> > --
> > Miroslav Rovis
> > Zagreb, Croatia
> > http://www.CroatiaFidelis.hr
> >

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr