Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default config file is not re-applied when service is either reloaded or restarted #22

Open
psivesely opened this issue Feb 11, 2017 · 4 comments
Open

Default config file is not re-applied when service is either reloaded or restarted #22

psivesely opened this issue Feb 11, 2017 · 4 comments
Assignees
@mckinney-subgraph
Labels
enhancement

Comments

@psivesely
Copy link

systemd documents how a program should handle these systemctl commands and what UNIX signals are sent to the process. paxrat should be capable of handling them as expected. The signal Go package is the obvious go-to on implementing this one.
@mckinney-subgraph mckinney-subgraph self-assigned this Feb 13, 2017
@mckinney-subgraph
Copy link
Contributor

I don't see a problem with implementing this. It would be useful to have the paxrat watcher service respond correctly to signals sent by systemctl.

However, just to clear up something about how paxrat is configured:

The paxrat watcher service (as it is currently deployed) doesn't load the default configuration at all. It is only meant to set PaX flags for torbrowser-launcher whenever a new Tor Browser executable is downloaded and installed. For the rest of the flags, paxrat is invoked as a DPkg::Post-Invoke hook to set flags on executables after they have been updated by the package manager.

@psivesely
Copy link
Author

I can try to make a PR for this. Might not get time until the weekend to work on it. Anything else specific about how you might want this implemented or should I just use best judgment in implementing this?

I'm using paxrat on Debian Sid with the latest grsec testing kernel compiled with https://github.com/freedomofpress/ansible-role-grsecurity, so it's probably best I test with Subgraph in a VM. How do y'all do testing?

@mckinney-subgraph
Copy link
Contributor

Thanks @fowlslegs , I probably won't have time in the short-term to do it myself.

We test using qemu + kvm, this should get you up and running to install Subgraph OS in a VM:

$ qemu-img create -f qcow2 sgos.qcow2 8G
$ kvm -m 4G -hda sgos.qcow2 -cdrom subgraph-os-alpha_2016-12-30_1.iso -boot d

After completing the installation, start it up like this:

$ kvm -m 4G -hda sgos.qcow2

@psivesely
Copy link
Author

Just a heads up that I'm spending all my free time on some work relevant to the upcoming Tor meeting, so I won't have time to work on this until April, and it's cool if anyone wants to jump on it. I'll check back in April and maybe try then if it's still open.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mckinney-subgraph mckinney-subgraph

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@psivesely @mckinney-subgraph