Sorry, my name is root, I have been root for decades, I like it when
the operations are allowed to succeed, and not deliberately failed.
The entire purpose of many "insecurity" features are to invoke nothing
but failure.  I disagree.

The security policy I like is to stop the bad guys at the door.  If you
have bad guys roaming around your house, it is already too late.  I
want any operation which authenticates or verifies to be correct, and
in this day and age of crystallographic protocols and validation it is
completely possible to do a good job.  These hacks are a sign of failure
to detect and stop bad guys before they do damage.

Frequently, the worst bad guys used to be good guys (pun).  The real
problem is to make sure the development environment is desirable
and secure, so that the effort is cohesive.

Anyway... I have completed the backup, installed the stage3 system,
and have 80% of the world built.  Still have kernel and tweaks to do,
but should have a system soon.  Gentoo is a "difficult" system to have
to install from scratch.   Seems unnecessarily abstruse.



On Wed, Apr 27, 2016 at 3:54 PM, Miroslav Rovis <miro.rovis@croatiafidelis.hr> wrote:
So more progess there has been.

On 160427-13:05-0600, Good Guy wrote:
> cd cinelerra5/cinelerra-5.1
> echo "EXTRA_LIBS += -lva" >> global_config
> echo "EXTRA_LIBS += -Wl,-z,noexecstack" >> global_config
> sed -e '1,1c#!/usr/bin/python2.7' -i guicast/bccmdl.py
> sed -e '/^bcxfer.C:/,+1s/python/python2.7/' -i guicast/Makefile
> ./configure shared
> make >& log
>

I'm also writing this for general *nix users when this is hopefully
posted as you gave me permission to. I'll give the complete output from
the terminal. Note that there are two issuing of /opt/cin/cinelerra, the
first will be seen, later, in the log that I will alos give, as "denied
execution of /opt/cin/cinelerra" and the second as "exec of
/opt/cin/cinelerra.

miro@gcn ~ $ /opt/cin/cinelerra
bash: /opt/cin/cinelerra: Permission denied
miro@gcn ~ $
miro@gcn ~ $ /opt/cin/cinelerra
sh: pactl: command not found

Cinelerra 5.1 git://git.cinelerra-cv.org/goodguy/cinelerra.git (c)2015:
Adam Williams

Cinelerra is free software, covered by the GNU General Public License,

and you are welcome to change it and/or distribute copies of it under

certain conditions. There is absolutely no warranty for Cinelerra.


MESA-LOADER: could not create udev device for fd 5 MESA-LOADER: could
not create udev device for fd 6 MESA-LOADER: could not create udev
device for fd 6 init plugin index: /opt/cin/plugins int
PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/blending/chromakeyhsv.plugin =
/opt/cin/plugins/blending/chromakeyhsv.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blond.plugin =
/opt/cin/plugins/themes/theme_blond.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blond_cv.plugin =
/opt/cin/plugins/themes/theme_blond_cv.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blue.plugin =
/opt/cin/plugins/themes/theme_blue.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_blue_dot.plugin =
/opt/cin/plugins/themes/theme_blue_dot.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_bright.plugin =
/opt/cin/plugins/themes/theme_bright.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_hulk.plugin =
/opt/cin/plugins/themes/theme_hulk.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_pinklady.plugin =
/opt/cin/plugins/themes/theme_pinklady.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_suv.plugin =
/opt/cin/plugins/themes/theme_suv.plugin: cannot change memory
protections: Permission denied

int PluginServer::open_plugin(int, Preferences*, EDL*, Plugin*):

PluginServer::open_plugin: load_obj
/opt/cin/plugins/themes/theme_unflat.plugin =
/opt/cin/plugins/themes/theme_unflat.plugin: cannot change memory
protections: Permission denied

init ladspa index: /opt/cin/ladspa
MWindow::init_theme: prefered theme S.U.V. not found.
MWindow::init_theme: theme_plugin not found.
unjoined tids / owner 1
  000003297c18b700 / 000003298d7eb740 12BC_Clipboard
miro@gcn ~ $

Just to tell that Cinelerra showed the little opening window in the
middle of the screen, but did not freeze like in the last attempt.
Instead it exited and returned the command prompt. The previous attempt
can be read at:

http://lists.cinelerra-cv.org/pipermail/cinelerra/2016q2/004711.html
And it shows the Cinelerra girl holding huge 5.1 notice

The same happened. Only, it exited gracefully (it that's what giving the
command prompt back is).

Now the logs:

Freshly installed todays goodguy's git repo Cinelerra 5.1. Chowning it
to user and group miro:miro.

Apr 27 23:22:03 gcn kernel: [143518.989075] grsec: (admin:S:/) exec of
/bin/chown (chown -R miro:miro /opt/cin ) by /bin/chown[bash:26292]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
gid/egid:0/0

RBAC enabled, just to see what will happen.

Apr 27 23:22:14 gcn kernel: [143530.000378] grsec: (admin:S:/) exec of
/bin/grep (grep --colour=auto RBAC /proc/3278/status ) by
/bin/grep[bash:26294] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0

Apr 27 23:22:25 gcn kernel: [143540.657532] grsec: (miro:U:/bin/bash)
denied execution of /opt/cin/cinelerra by /bin/bash[bash:26297]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000


Checking it TPE was enabled. Can't show, but I remember it was not.
Neither tpe nor tpe_restrict_all.

Apr 27 23:22:25 gcn kernel: [143540.657675] grsec: (miro:U:/bin/bash)
denied open of /opt/cin/cinelerra for reading by /bin/bash[bash:26297]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000

Apr 27 23:22:51 gcn kernel: [143566.483957] grsec: (admin:S:/) exec of
/bin/cat (cat /proc/sys/kernel/grsecurity/tpe_restrict_all ) by
/bin/cat[bash:26300] uid/euid:0/0 gid/egid:0/0, parent
/bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0

Apr 27 23:22:54 gcn kernel: [143569.600844] grsec: (admin:S:/) exec of
/bin/cat (cat /proc/sys/kernel/grsecurity/tpe ) by /bin/cat[bash:26303]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0
gid/egid:0/0


Disabling RBAC:

Apr 27 23:23:13 gcn kernel: [143588.739630] grsec: (admin:S:/) exec of
/sbin/gradm (gradm -D ) by /sbin/gradm[bash:26304] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:3278] uid/euid:0/0 gid/egid:0/0

...[36 lines cut here]...

Apr 27 23:23:41 gcn kernel: [143616.978863] grsec: exec of
/opt/cin/cinelerra (/opt/cin/cinelerra ) by
/opt/cin/cinelerra[bash:26350] uid/euid:1000/1000 gid/egid:1000/1000,
parent /bin/bash[bash:3549] uid/euid:1000/1000 gid/egid:1000/1000

I hope this pulseaudio command does no harm. Only pure alsa here.

Apr 27 23:23:42 gcn kernel: [143617.432067] grsec: exec of /bin/bash (sh
-c pactl list sinks ) by /bin/bash[cinelerra:26351] uid/euid:1000/1000
gid/egid:1000/1000, parent /opt/cin/cinelerra[cinelerra:26350]
uid/euid:1000/1000 gid/egid:1000/1000

The crucial PT_GNU_STACK, and RWX mprotect lines:

Apr 27 23:23:44 gcn kernel: [143619.882015] grsec: denied marking stack
executable as requested by PT_GNU_STACK marking in
/opt/cin/plugins/blending/chromakeyhsv.plugin by
/opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
gid/egid:1000/1000

Apr 27 23:23:44 gcn kernel: [143619.882045] grsec: denied RWX mprotect
of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000

Apr 27 23:23:44 gcn kernel: [143620.045971] grsec: denied marking stack
executable as requested by PT_GNU_STACK marking in
/opt/cin/plugins/themes/theme_blond.plugin by
/opt/cin/cinelerra[cinelerra:26350] uid/euid:1000/1000
gid/egid:1000/1000, parent /bin/bash[bash:3549] uid/euid:1000/1000
gid/egid:1000/1000

Apr 27 23:23:44 gcn kernel: [143620.046009] grsec: denied RWX mprotect
of /lib64/ld-2.22.so by /opt/cin/cinelerra[cinelerra:26350]
uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3549]
uid/euid:1000/1000 gid/egid:1000/1000

Apr 27 23:23:44 gcn kernel: [143620.046087] grsec: more alerts, logging
disabled for 10 seconds


And here is where a hardened dev could help us... I've been studying
these days (but only for small part of the time, this testing takes a
lot of energy and time), on the above PT_GNU_STACK and RWX mprotect
issue, and I'll try and post next to grsecurity Forums:

Building Cinelerra and stack exec and mprotect issues
https://forums.grsecurity.net/viewtopic.php?f=3&t=4453&sid=6acf30eee27f95dd5bc31d4d282cae77

as I have collected some links that could help us here...

--
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr