grsec and PulseAudio (and Gentoo)

This problem seems to bite some of our hardened users a couple of times a year, so thought I’d blog about it. If you are using grsec and PulseAudio, you must not enable CONFIG_GRKERNSEC_SYSFS_RESTRICT in your kernel, else autodetection of your cards will fail.

PulseAudio’s module-udev-detect needs to access /sys to discover what cards are available on the system, and that kernel option disallows this for anyone but root.

4 thoughts on “grsec and PulseAudio (and Gentoo)

  1. Ooof!! Thanks for the heads-up; it would have taken me a while to figure that out.

    Is there any way to allow access to /sys for certain users? Or allow only parts of /sys to certain users? I’m hoping there’s a way to get at least some of the benefit of restricting sysfs and get pulseaudio to work at the same time.

    1. As far as I know, grsec doesn’t allow this sort of fine-grained access control. You probably need something like AppArmor or SELinux to achieve the same thing.

      Alternatively, it seems that grsec has a hardcoded whitelist of allowed paths, so you might be able to get away with expanding that (though I don’t know how easy that would be to expand generically).

Leave a Reply

Your email address will not be published. Required fields are marked *