Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure Ricochet works on SubgraphOS in oz without special PaX flags #389

Closed
ioerror opened this issue Mar 21, 2016 · 5 comments
Closed

Ensure Ricochet works on SubgraphOS in oz without special PaX flags #389

ioerror opened this issue Mar 21, 2016 · 5 comments
Labels
enhancement packaging

Comments

@ioerror
Copy link
Contributor

ioerror commented Mar 21, 2016

Once we close #387 we'll want to improve how ricochet works inside of OZ. Strangely, we do not need special flags for PaX when running ricochet outside of OZ - I suspect this is due to the environment where ricochet runs.

A basic setup of ricochet from git tip should build on SubgraphOS and run without issues. To run it within oz, we'll need a basic profile:



cat << 'EOF'> /var/lib/oz/cells.d/ricochet.json
{
"path": "/usr/bin/ricochet"
, "watchdog": ["ricochet"]
, "allowed_groups": ["debian-tor"]
, "xserver": {
    "enabled": true
    , "enable_tray": false
    , "audio_mode": "pulseaudio"
}
, "networking":{
    "type":"empty"
    , "sockets": [
        {"type":"client", "proto":"tcp", "port":9050}
        , {"type":"client", "proto":"tcp", "port":9051}
    ]
}
, "whitelist": [
    {"path":"${HOME}/.config/ricochet", "can_create":true}
    , {"path":"${HOME}/.local/share/Ricochet", "can_create":true}
]
, "environment": [
     {"name":"TOR_CONTROL_PORT"}
]
}
EOF

Then we'll need to enable it:

oz-setup install ricochet

Try running ricochet - does it work for you? If so, you're a winner and we're done. I trust it will run for a moment and then you'll see PaX exceptions in dmesg. If so, you'll need to set some exceptions:

setfattr -n user.pax.flags -v "emr" /usr/bin/oz/ricochet

In an ideal world, we'll spot the difference between running inside and outside of oz. That will allow us to never need special pax exceptions.
@ioerror
Copy link
Contributor Author

ioerror commented Mar 21, 2016

I've updated the oz profile:

{
"path": "/usr/bin/ricochet"
, "allowed_groups": ["debian-tor"]
, "xserver": {
    "enabled": true
    , "enable_tray": false
    , "audio_mode": "pulseaudio"
}
, "networking":{
    "type":"empty"
    , "sockets": [
        {"type":"client", "proto":"tcp", "port":9050}
        , {"type":"client", "proto":"tcp", "port":9051}
    ]
}
, "whitelist": [
    {"path":"${HOME}/.config/ricochet", "can_create":true}
    , {"path":"${HOME}/.local/share/Ricochet", "can_create":true}
]
, "environment": [
    {"name":"TOR_CONTROL_PORT"}
]
}

It doesn't need a watchdog and really, we could remove audio - but someone might want a beep. I've removed the microphone from my laptop physically, so I don't care about exposing audio as an allowed permission.

@ioerror
Copy link
Contributor Author

ioerror commented Mar 21, 2016

Here is my default SubgraphOS environment where I didn't need paxflags to run ricochet:

XDG_VTNR=2
SSH_AGENT_PID=1226
XDG_SESSION_ID=1
TOR_SOCKS_PORT=9050
TERM=xterm-256color
SHELL=/bin/bash
XDG_MENU_PREFIX=gnome-
VTE_VERSION=4204
QT_LINUX_ACCESSIBILITY_ALWAYS_ON=1
GJS_DEBUG_OUTPUT=stderr
WINDOWID=16894083
GJS_DEBUG_TOPICS=JS ERROR;JS LOG
GTK_MODULES=gail:atk-bridge
USER=user
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
QT_ACCESSIBILITY=1
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
USERNAME=user
SESSION_MANAGER=local/subgraph:@/tmp/.ICE-unix/1227,unix/subgraph:/tmp/.ICE-unix/1227
TOR_CONTROL_PORT=9051
GNOME_SHELL_SESSION_MODE=subgraph
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
DESKTOP_SESSION=default
QT_IM_MODULE=ibus
XDG_SESSION_TYPE=x11
PWD=/home/user
XMODIFIERS=@im=ibus
TOR_SOCKS_HOST=127.0.0.1
LANG=en_US.UTF-8
GDM_LANG=en_US.UTF-8
TOR_CONTROL_HOST=127.0.0.1
GDMSESSION=default
SHLVL=1
XDG_SEAT=seat0
HOME=/home/user
TOR_SKIP_LAUNCH=1
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
XDG_SESSION_DESKTOP=default
LOGNAME=user
XDG_DATA_DIRS=/usr/share/gnome:/usr/local/share/:/usr/share/
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-z9giNjdfN3,guid=b4fc6583308504f3b744ff7b56ec34f4
WINDOWPATH=2
XDG_RUNTIME_DIR=/run/user/1000
DISPLAY=:0
XDG_CURRENT_DESKTOP=GNOME
XAUTHORITY=/run/user/1000/gdm/Xauthority
_=/usr/bin/env
OLDPWD=/home/user

One of the above environment variables (or absence) may change the default behavior of QT - which in turn enables some (QML? PCRE? Another?) JIT along the way. This causes PaX to kill ricochet inside of OZ but not when running in an environment lacking one of those flags.

Any ideas?

@ioerror
Copy link
Contributor Author

ioerror commented Mar 23, 2016

As a general update - oz also blocks incoming connections (from system Tor's configured HS) - so we'll need to implement a unix socket listener and pass that file into oz. That is one major difference between inside and outside of oz...

@special
Copy link
Member

special commented Apr 3, 2016

The PaX exception is caused by rwx allocations in the software opengl implementation. When not running under oz, we're using hardware acceleration and don't need it.

From a quick search, DRAW_USE_LLVM=0 might help with Gallium. Unclear if that's relevant here or if it's going to be enough. The QtQuick 2D renderer (#367) might solve this too, once it exists.

@special
Copy link
Member

special commented Jan 16, 2017

#367 is the right answer here. As long as the qtquick 2d renderer plugin is available, it should be used and avoid any OpenGL issues at all. Most likely it doesn't exist on subgraph now, but it's hopefully not hard to add.

If that isn't possible, subgraph should be setting DRAW_USE_LLVM=0 or whatever else is necessary to prevent Gallium from using rwx memory inside Oz.

Nothing for Ricochet to do here, seems like we've taken care of the rwx problems on this end.

@special special closed this as completed Jan 16, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement packaging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@special @ioerror