grsec and PulseAudio (and Gentoo)

This problem seems to bite some of our hardened users a couple of times a year, so thought I’d blog about it. If you are using grsec and PulseAudio, you must not enable CONFIG_GRKERNSEC_SYSFS_RESTRICT in your kernel, else autodetection of your cards will fail.

PulseAudio’s module-udev-detect needs to access /sys to discover what cards are available on the system, and that kernel option disallows this for anyone but root.

Harvey Specter
Posted at 3:28 am November 27, 2013
Berkeley Churchill

Ooof!! Thanks for the heads-up; it would have taken me a while to figure that out.

Is there any way to allow access to /sys for certain users? Or allow only parts of /sys to certain users? I’m hoping there’s a way to get at least some of the benefit of restricting sysfs and get pulseaudio to work at the same time.

    Harvey Specter
    Posted at 8:36 am November 27, 2013

    As far as I know, grsec doesn’t allow this sort of fine-grained access control. You probably need something like AppArmor or SELinux to achieve the same thing.

    Alternatively, it seems that grsec has a hardcoded whitelist of allowed paths, so you might be able to get away with expanding that (though I don’t know how easy that would be to expand generically).

Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>