GStreamer-devel

Grsecurity/PAX and gstreamer/ORC

classic Classic list List threaded Threaded
4 messages Options
Kevin Chadwick
Reply | Threaded
Open this post in threaded view
|

Grsecurity/PAX and gstreamer/ORC

Kevin Chadwick
With all the grsecurity kernel patch options enabled, sound via
gstreamer won't work by default in Opera or parole which are two of the
few browsers and media players to run under these default grsecurity
settings.

16 plugins are blacklisted.

The error messages on plugin scan are about Selinux mmap restrictions
or home noexec.

Parole gives the error on playing audio of missing element
'audioconvert'

If you delete the registry file and then add ORC_CODE=emulate to the
environment, sound for html5 video works fine in Opera and parole plays
audio without error.

/usr/bin/gst-inspect-0.10 -b then gives only 9 blacklisted.

Blacklisted files:
  libgstpostproc.so
  libgstffmpegscale.so
  libgstpulse.so
  libgstdv.so
  libgstffmpeg.so
  libgstxvid.so
  libgstflac.so
  libgstsndfile.so
  libgstwildmidi.so

Is there anything wrong with always using the ORC_CODE=emulate debug
option except a slight performance decrease?


p.s. Is performance of binary registry files preferable over a human
readible format considering disks and memory are so fast?

Thanks, Kevin Chadwick

________________________________________________________

 Why not do something good every day and install BOINC.
________________________________________________________
_______________________________________________
gstreamer-devel mailing list
[hidden email]
http://lists.freedesktop.org/mailman/listinfo/gstreamer-devel
Kevin Chadwick
Reply | Threaded
Open this post in threaded view
|

Re: Grsecurity/PAX and gstreamer/ORC

Kevin Chadwick
> Is there anything wrong with always using the ORC_CODE=emulate debug
> option except a slight performance decrease?

Do I take it that there is nothing wrong in fact perhaps something
right in using ORC_CODE=emulate on production systems?

________________________________________________________

 Why not do something good every day and install BOINC.
________________________________________________________
_______________________________________________
gstreamer-devel mailing list
[hidden email]
http://lists.freedesktop.org/mailman/listinfo/gstreamer-devel
Tim-Philipp Müller-2
Reply | Threaded
Open this post in threaded view
|

Re: Grsecurity/PAX and gstreamer/ORC

Tim-Philipp Müller-2
On Wed, 2012-06-20 at 16:32 +0100, Kevin Chadwick wrote:

> > Is there anything wrong with always using the ORC_CODE=emulate debug
> > option except a slight performance decrease?
>
> Do I take it that there is nothing wrong in fact perhaps something
> right in using ORC_CODE=emulate on production systems?

Perhaps ORC_CODE=backup is better in that case?

Can't you add an SELinux exception/rule ?

Cheers
 -Tim


_______________________________________________
gstreamer-devel mailing list
[hidden email]
http://lists.freedesktop.org/mailman/listinfo/gstreamer-devel
Kevin Chadwick
Reply | Threaded
Open this post in threaded view
|

Re: Grsecurity/PAX and gstreamer/ORC

Kevin Chadwick
> Perhaps ORC_CODE=backup is better in that case?
>

If you can would you be good enough to explain the difference between
emulate and backup. A source code search hasn't turned up much yet.

> Can't you add an SELinux exception/rule ?

I can add PAX marking to disable mprotect but I don't see the point
when all I want is some audio playing. Lots of things break like
firefox, chrome xfcemixer but I haven't found anything without an
alternative such as Opera, gnome alsa mixer that works with the
mprotection restrictions in place.


Thanks Kc
________________________________________________________

 Why not do something good every day and install BOINC.
________________________________________________________
_______________________________________________
gstreamer-devel mailing list
[hidden email]
http://lists.freedesktop.org/mailman/listinfo/gstreamer-devel
Free forum by Nabble Edit this page