Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Nvidia + GRSecurity
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
vnd
n00b
n00b


Joined: 28 Jan 2011
Posts: 19

PostPosted: Fri Jan 28, 2011 5:24 pm    Post subject: [Solved] Nvidia + GRSecurity Reply with quote

Hi, I used to use open source drivers nouveau working on hardened-sources - there were no problems with them. Few days ago I decided to look closer into CUDA technology and my first step was installing nvidia-drivers from portage. In fact, there were some notes about Nvidia drivers incompatibility with GRSecurity but I’ve ignored it cause I’d wanted to check how would it work. I’ve also removed all things connected with previous driver from kernel and changed VIDEO_CARDS to ’nvidia’ before updating system. Xorg server run perfectly after generating new config file. The first problem occurred when running OpenGL applications like glxgears or cairo-dock - PaX was killing processes because of mprotect restrictions. After changing some executable flags (paxctl -m) cairo-dock started up like earlier but glxgears and other applications throw out another warning message:
Code:
Xlib:  extension "GLX" missing on display ":0.0".
Error: couldn't get an RGB, Double-buffered visual

I’ve searched the forums looking for some information but I haven’t find anything useful. The posts were eighter too old or related to different topic, so I decided to create new one.

Here’s my configuration:
Code:
vnd@vndbox ~ $ uname -rm
2.6.36-hardened-r6 x86_64
vnd@vndbox ~ $ eselect opengl show
nvidia
vnd@vndbox ~ $ equery which xorg-server
/usr/portage/x11-base/xorg-server/xorg-server-1.9.2.ebuild
vnd@vndbox ~ $ equery which nvidia-drivers
/usr/portage/x11-drivers/nvidia-drivers/nvidia-drivers-260.19.29.ebuild
vnd@vndbox ~ $ equery which nvidia-settings
/usr/portage/media-video/nvidia-settings/nvidia-settings-260.19.29.ebuild
vnd@vndbox ~ $ equery which mesa
/usr/portage/media-libs/mesa/mesa-7.9.ebuild
vnd@vndbox ~ $ cat /etc/make.conf | grep USE
USE="X acpi alsa bluetooth bzip2 cairo cdda cdr crypt cxx dbus dell dri dvd dvdr encode ffmpeg gallium gd gnome gnutls gphoto2 gpm gstreamer gtk hal hardened iconv ipod java jpeg jpeg2k laptop libnotify mad memlimit mime mmap mmx mp3 mp4 mpeg mplayer multilib nautilus nsplugin ogg opengl pam pcmcia pdf php png posix python raw readline socks5 spell sse sse2 ssse3 ssl svg threads truetype udev unicode usb vim-syntax wifi xcomposite xscreensaver xvid -cups -kde qt3 qt3support qt4"
vnd@vndbox ~ $ cat /etc/make.conf | grep VIDEO_CARDS
VIDEO_CARDS="nvidia" # "nouveau"


Another interesting thing is glxinfo throws segmentation fault after flushing some useless info:
Code:
vnd@vndbox ~ $ glxinfo
glxinfo: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted
vnd@vndbox ~ $ sudo paxctl -m /usr/bin/glxinfo
vnd@vndbox ~ $ glxinfo
name of display: :0.0
Xlib:  extension "GLX" missing on display ":0.0".
( ... )
Xlib:  extension "GLX" missing on display ":0.0".
Error: couldn't find RGB GLX visual or fbconfig

Xlib:  extension "GLX" missing on display ":0.0".
( ... )
Xlib:  extension "GLX" missing on display ":0.0".
84 GLXFBConfigs:
   visual  x  bf lv rg d st colorbuffer ax dp st accumbuffer  ms  cav
 id dep cl sp sz l  ci b ro  r  g  b  a bf th cl  r  g  b  a ns b eat
----------------------------------------------------------------------
Segmentation fault


/etc/X11/xorg.conf:
Code:
Section "ServerLayout"
   Identifier     "X.org Configured"
   Screen      0  "Screen0" 0 0
   InputDevice    "Mouse0" "CorePointer"
   InputDevice    "Keyboard0" "CoreKeyboard"
EndSection

Section "Files"
   ModulePath   "/usr/lib64/xorg/modules"
   FontPath     "/usr/share/fonts/misc/"
   FontPath     "/usr/share/fonts/TTF/"
   FontPath     "/usr/share/fonts/OTF/"
   FontPath     "/usr/share/fonts/Type1/"
   FontPath     "/usr/share/fonts/100dpi/"
   FontPath     "/usr/share/fonts/75dpi/"
EndSection

Section "Module"
   Load  "glx"
   Load  "dbe"
   Load  "record"
   Load  "extmod"
EndSection

Section "InputDevice"
   Identifier  "Keyboard0"
   Driver      "kbd"
EndSection

Section "InputDevice"
   Identifier  "Mouse0"
   Driver      "mouse"
   Option       "Protocol" "auto"
   Option       "Device" "/dev/input/mice"
   Option       "ZAxisMapping" "4 5 6 7"
EndSection

Section "Monitor"
   Identifier   "Monitor0"
   VendorName   "Monitor Vendor"
   ModelName    "Monitor Model"
EndSection

Section "Device"
   Identifier  "Card0"
   Driver      "nvidia"
   Option      "AddARGBGLXVisuals" "True"
   Option      "NoLogo"            "True"
   BusID       "PCI:1:0:0"
EndSection

Section "Screen"
   Identifier "Screen0"
   Device     "Card0"
   Monitor    "Monitor0"
   
   SubSection "Display"
      Viewport   0 0
      Depth     16
   EndSubSection
   SubSection "Display"
      Viewport   0 0
      Depth     24
   EndSubSection
EndSection


Any help would be nice.


Last edited by vnd on Sat Jan 29, 2011 10:14 am; edited 1 time in total
Back to top
View user's profile Send private message
causality
Apprentice
Apprentice


Joined: 03 Jun 2006
Posts: 228

PostPosted: Sat Jan 29, 2011 12:49 am    Post subject: Reply with quote

Hello,

I also use Gentoo Hardened and have always used the proprietary nVidia drivers.

FYI, you can usually get more information about these errors by checking /var/log/pax.log and /var/log/grsec.log.

I am familiar with the error messages you received, which come from the PaX system:

Code:
glxgears: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Operation not permitted


That almost always indicates that the binary (in this case, /usr/bin/glxgears) has not had the mprotect() restrictions lifted.

If you run "paxctl -v /usr/bin/glxgears" I believe this is what you will see:

Code:
localhost ~ # paxctl -v /usr/bin/glxgears
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -------x-e-- [/usr/bin/glxgears]
        RANDEXEC is disabled
        EMUTRAMP is disabled


A working glxgears on a system like yours or mine needs to look like this:

Code:
localhost ~ # paxctl -v /usr/bin/glxgears
PaX control v0.5
Copyright 2004,2005,2006,2007 PaX Team <pageexec@freemail.hu>

- PaX flags: -----m-x-e-- [/usr/bin/glxgears]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled


Your /usr/bin/Xorg (/usr/bin/X is a symlink to /usr/bin/Xorg) needs to have the same PaX flags. I believe it does not have them, and the lack of them is why it could not load the GLX extension. Check your /var/log/Xorg.0.log file and you are likely to see similar "operation not permitted" errors.

For a desktop user, the mprotect() restriction is easily the most troublesome one offered by PaX. It is a good protection and the security offered by PaX is not complete without it, but you will experience these issues anytime you upgrade or otherwise re-emerge packages that want to use GLX (including things like mplayer). If you set the correct flags for glxgears now, and later a new version of glxgears is emerged as part of a system update, you will have to set the PaX flags for glxgears again since "paxctl" operates on files and the new version replaces the old file.

Personally, I deal with this with a simple script I wrote containing all the "paxctl" commands I need to set all the needed flags for all my binaries that need them. I just run this script (as root of course) whenever I emerge something that I know will need those flags. That works for me and is no real burden now that I am familiar with how PaX works, but you will need to find some way to manage this if you want mprotect() protections on a desktop system. Systems intended to be servers are a different story, as they don't typically need OpenGL and 3D graphics.

You may want to decide whether you really need the mprotect() restrictions in order to achieve the level of security you need. You will also have issues emerging amarok and wine -- the configure part of the build process will get killed off by PaX for both of these if you use mprotect() restrictions, causing the emerge to fail. There are (manual, hackish) ways to work around that, but in both cases it is not a bug or a flaw; it is really the mprotect() restriction working as designed.
Back to top
View user's profile Send private message
vnd
n00b
n00b


Joined: 28 Jan 2011
Posts: 19

PostPosted: Sat Jan 29, 2011 10:10 am    Post subject: Reply with quote

Thanks, I forget about changing my Xorg flags. Now glxgears shows even betters statistics than before. :)
For other people with the same problem, this commands should make your programs working:
Code:
paxctl -m /usr/bin/Xorg
paxctl -m $name
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum