PyCharm, VS Code and other things

1 view
Skip to first unread message

Ron Georgia

unread,
Sep 1, 2022, 12:50:15 PMSep 1
to HardenedBSD Users
I am running HardenedBSD on a Mac Mini 2014. I installed (pkg) both
Pycharm and VS Code. I did run gen-secadm-rules.csh from
secadm-rules.git. Pycharm launches and runs, albeit somewhat sluggishly.
After about 10 minutes PyCharm locks up then crashes with a JDK11 log.

VS Code does not run at all.

code-oss &
(venv) rgeorgia@hbsd-mini ~/w/p/kodiak_tables>
fish: Job 1, 'code-oss &' has ended

I am new to HBSD and am not sure what info anybody needs to point me in
the right direction.


uname -a
FreeBSD hbsd-mini.ronverbs.dev 13.1-STABLE-HBSD FreeBSD 13.1-STABLE-HBSD
#0 : Tue Aug 16 17:04:02 UTC 2022
ro...@ci-12.md.hardenedbsd.lan:/usr/obj/usr/src/amd64.amd64/sys/HARDENEDBSD
amd64

sudo secadm show -f ucl
secadm {
    pax = {
        path = "/usr/local/lib/thunderbird/thunderbird";
        mprotect = false;
        pageexec = false;
    }
    pax = {
        path = "/usr/local/lib/firefox/plugin-container";
        mprotect = false;
        pageexec = false;
    }
    pax = {
        path = "/usr/local/bin/node";
        mprotect = false;
        pageexec = false;
    }
    pax = {
        path = "/usr/local/lib/libreoffice/program/soffice.bin";
        mprotect = false;
        pageexec = false;
    }
    pax = {
        path = "/usr/local/lib/firefox/firefox";
        disallow_map32bit = false;
        mprotect = false;
        pageexec = false;
    }
    pax = {
        path = "/usr/local/bin/mongo";
        mprotect = false;
        pageexec = false;
    }
    pax = {
        path = "/usr/local/share/chromium/chrome";
        mprotect = false;
        pageexec = false;
        shlibrandom = false;
    }
    pax = {
        path = "/usr/local/bin/mongod";
        mprotect = false;
        pageexec = false;
    }
}

--
There seems to be a scratch in the prisim of my understanding

Loic

unread,
Sep 1, 2022, 3:05:45 PMSep 1
to Ron Georgia, HardenedBSD Users
Le Thu, 1 Sep 2022 12:49:52 -0400,
Ron Georgia <netv...@gmail.com> a écrit :
secadm-rules.git this one is not maintained anymore (it is now used for
inspiration), we apply the same thing directly in the Makefile of the
ports and so the main packages generally don't need any setting for
PAX. If you start under HardenedBSD, I advise you to use hbsdcontrol
first (and only if you need it) and to use secadm only in a 2nd time.

When a program does not work, it is important to have the reflex to use
the dmesg command to see if a hardening is the cause of the problem.

For JDK11, here is the cause of your problem:
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/wikis/home#rtld-hardening

And here is the solution:
# sysctl hardening.harden_rtld=0

--
Loic
dev team
HardenedBSD

Ron Georgia

unread,
Sep 1, 2022, 4:04:16 PMSep 1
to us...@hardenedbsd.org

Thank you for responding. I did set hardening.harden_rtld=0

Here is more (helpful?) info. I'll read through the docs, but honestly, most of it is over my head.

DMESG after attempting to launch vs code.

[22402] [HBSD INTERNAL] the process started with non-default hardening settings

[22402] -> fname: /usr/local/share/code-oss/bin/../code-oss

[22402] -> pid: 64218 ppid: 62054 p_pax: 0x865a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,NOSHLIBRANDOM,DISALLOWMAP32BIT,<f15>>

[22403] [HBSD INTERNAL] the process started with non-default hardening settings

[22403] -> fname: /usr/local/share/code-oss/code-oss

[22403] -> pid: 64968 ppid: 64218 p_pax: 0x865a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,NOSHLIBRANDOM,DISALLOWMAP32BIT,<f15>>

[22403] [HBSD INTERNAL] the process started with non-default hardening settings

[22403] -> fname: /usr/local/share/code-oss/code-oss

[22403] -> pid: 66597 ppid: 64968 p_pax: 0x865a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,NOSHLIBRANDOM,DISALLOWMAP32BIT,<f15>>

[22404] [HBSD INTERNAL] the process started with non-default hardening settings

[22404] -> fname: /usr/local/share/code-oss/code-oss

[22404] -> pid: 66622 ppid: 64968 p_pax: 0x865a<NOPAGEEXEC,NOMPROTECT,SEGVGUARD,ASLR,NOSHLIBRANDOM,DISALLOWMAP32BIT,<f15>>

cat /etc/sysctl.conf

security.bsd.see_other_uids=0

security.bsd.see_other_gids=0

security.bsd.unprivileged_read_msgbuf=0

security.bsd.unprivileged_proc_debug=0

vfs.zfs.min_auto_ashift=12

hardening.harden_rtld=0

hbsd-mini ~> sudo sysctl hardening.harden_rtld

hardening.harden_rtld: 0

sudo hbsdcontrol pax list /usr/local/share/code-oss/code-oss

pageexec: disabled

mprotect: disabled

segvguard: sysdef

aslr: sysdef

shlibrandom: sysdef

disallow_map32bit: sysdef

insecure_kmod: sysdef

Reply all
Reply to author
Forward
0 new messages