How are these processes started and can they have a systemd-dropin like "display-manager.service.d" and where does it need to be placed?
kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
[root@srv-rhsoft:~]$ cat /etc/systemd/system/display-manager.service.d/security.conf [Service] ReadOnlyDirectories=/boot ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadWriteDirectories=-/etc/vmware ReadWriteDirectories=-/usr/local/Zend SystemCallFilter=~@clock @cpu-emulation @reboot @swap
[root@srv-rhsoft:~]$ checksec --proc-all | grep "No Seccomp" |grep -v vmware | grep -v "sd-pam" | grep -v crond | grep -v sshd | grep -v systemd | grep -v "grep " | grep -v bash dbus-daemon 7816 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes kglobalaccel5 7908 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes dconf-service 7916 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes kactivitymanage 7998 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes gvfsd 8007 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes kuiserver5 8061 Full RELRO No canary found No Seccomp NX enabled PIE enabled No
[root@srv-rhsoft:~]$ checksec --proc-all | grep dbus dbus-daemon 7816 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes dbus-daemon 962 Full RELRO Canary found Seccomp-bpf NX enabled PIE enabled Yes [root@srv-rhsoft:~]$ ps aux | grep 7816 harry 7816 0.0 0.0 43700 4388 ? Ss 17:59 0:00 /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
Reindl Harald wrote:
How are these processes started and can they have a systemd-dropin like "display-manager.service.d" and where does it need to be placed?
kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
I can confirm from build logs that kuiserver5 source files are compiled with -D_FORTIFY_SOURCE=2
kuiserver5 8061 Full RELRO No canary found No
Seccomp NX enabled PIE enabled No
Is this the source of your inquiry? ^^
If so, I don't know why it's complaining here... perhaps because kuiserver5's use of kf5-kinit confuses it?
-- Rex
Am 31.03.2018 um 18:44 schrieb Rex Dieter:
Reindl Harald wrote:
How are these processes started and can they have a systemd-dropin like "display-manager.service.d" and where does it need to be placed?
kuiserver5 seems to miss -D_FORTIFY_SOURCE=2 BTW
I can confirm from build logs that kuiserver5 source files are compiled with -D_FORTIFY_SOURCE=2
kuiserver5 8061 Full RELRO No canary found No
Seccomp NX enabled PIE enabled No
Is this the source of your inquiry? ^^
If so, I don't know why it's complaining here... perhaps because kuiserver5's use of kf5-kinit confuses it
forget the "No canary found"
the main question is why a handful of processes have "No Seccomp" while everything else inherits "ReadOnlyDirectories" and "SystemCallFilter" from "display-manager.service"
"SystemCallFilter" is more or less a hack to get "checksec --proc-all" showing user processes which likely don't inherit "ReadOnlyDirectories", for working as root i use ssh even on local machine and so that's fine and a "system read-only mounted" without the negative impact to remeber remount-rw here and then
[root@srv-rhsoft:~]$ cat /etc/systemd/system/display-manager.service.d/security.conf [Service] ReadOnlyDirectories=/boot ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadWriteDirectories=-/etc/vmware ReadWriteDirectories=-/usr/local/Zend SystemCallFilter=~@clock @cpu-emulation @reboot @swap
[root@srv-rhsoft:~]$ checksec --proc-all | grep "No Seccomp" |grep -v vmware | grep -v "sd-pam" | grep -v crond | grep -v sshd | grep -v systemd | grep -v "grep " | grep -v bash dbus-daemon 7816 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes kglobalaccel5 7908 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes dconf-service 7916 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes kactivitymanage 7998 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes gvfsd 8007 Full RELRO Canary found No Seccomp NX enabled PIE enabled Yes kuiserver5 8061 Full RELRO No canary found No Seccomp NX enabled PIE enabled No