grsec and PulseAudio (and Gentoo)

This problem seems to bite some of our hardened users a couple of times a year, so thought I’d blog about it. If you are using grsec and PulseAudio, you must not enable CONFIG_GRKERNSEC_SYSFS_RESTRICT in your kernel, else autodetection of your cards will fail.

PulseAudio’s module-udev-detect needs to access /sys to discover what cards are available on the system, and that kernel option disallows this for anyone but root.

This entry was posted in Blog and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

2 Comments

  1. Berkeley Churchill
    Posted November 27, 2013 at 3:28 am | Permalink

    Ooof!! Thanks for the heads-up; it would have taken me a while to figure that out.

    Is there any way to allow access to /sys for certain users? Or allow only parts of /sys to certain users? I’m hoping there’s a way to get at least some of the benefit of restricting sysfs and get pulseaudio to work at the same time.

    • Arun
      Posted November 27, 2013 at 8:36 am | Permalink

      As far as I know, grsec doesn’t allow this sort of fine-grained access control. You probably need something like AppArmor or SELinux to achieve the same thing.

      Alternatively, it seems that grsec has a hardcoded whitelist of allowed paths, so you might be able to get away with expanding that (though I don’t know how easy that would be to expand generically).

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>