Re: processes which don't inherit Namespaces vom display-manager

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Am 31.03.2018 um 18:44 schrieb Rex Dieter:
> Reindl Harald wrote:
> 
>> How are these processes started and can they have a systemd-dropin like
>> "display-manager.service.d" and where does it need to be placed?
>>
>> kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
> 
> I can confirm from build logs that kuiserver5 source files are compiled with 
> -D_FORTIFY_SOURCE=2
> 
>>       kuiserver5   8061 Full RELRO      No canary found         No
>> Seccomp       NX enabled    PIE enabled             No
> 
> Is this the source of your inquiry?  ^^
> 
> If so, I don't know why it's complaining here... perhaps because 
> kuiserver5's use of kf5-kinit confuses it

forget the "No canary found"

the main question is why a handful of processes have "No Seccomp" while
everything else inherits "ReadOnlyDirectories" and "SystemCallFilter"
from "display-manager.service"

"SystemCallFilter" is more or less a hack to get "checksec --proc-all"
showing user processes which likely don't inherit "ReadOnlyDirectories",
for working as root i use ssh even on local machine and so that's fine
and a "system read-only mounted" without the negative impact to remeber
remount-rw here and then

[root@srv-rhsoft:~]$ cat
/etc/systemd/system/display-manager.service.d/security.conf
[Service]
ReadOnlyDirectories=/boot
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
ReadWriteDirectories=-/etc/vmware
ReadWriteDirectories=-/usr/local/Zend
SystemCallFilter=~@clock @cpu-emulation @reboot @swap

[root@srv-rhsoft:~]$ checksec --proc-all | grep "No Seccomp" |grep -v
vmware | grep -v "sd\-pam" | grep -v crond | grep -v sshd | grep -v
systemd | grep -v "grep " | grep -v bash
     dbus-daemon   7816 Full RELRO      Canary found            No
Seccomp       NX enabled    PIE enabled             Yes
   kglobalaccel5   7908 Full RELRO      Canary found            No
Seccomp       NX enabled    PIE enabled             Yes
   dconf-service   7916 Full RELRO      Canary found            No
Seccomp       NX enabled    PIE enabled             Yes
 kactivitymanage   7998 Full RELRO      Canary found            No
Seccomp       NX enabled    PIE enabled             Yes
           gvfsd   8007 Full RELRO      Canary found            No
Seccomp       NX enabled    PIE enabled             Yes
      kuiserver5   8061 Full RELRO      No canary found         No
Seccomp       NX enabled    PIE enabled             No
_______________________________________________
kde mailing list -- kde@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kde-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [KDE Users]     [Fedora General Discussion]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Maintainers]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Triage]     [Coolkey]     [Yum Users]     [Yosemite Forum]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux