Jump to content
funtoo forums

mrl5

Members
  • Content Count

    9
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by mrl5


  1. regarding question #2:

    I've found this cool blogpost and method described there fixes the problem. All I have to do is to run this command after every boot

    restorecon /dev/nvidiactl /dev/nvidia0

    at this moment I've added it to /etc/init.d/xdm but I'll dig further for better solution

     

    so the question no #1 is still open. @drobbins any thoughts?

    EDIT:

    Q#1: answered here
    Q#2: opened bug FL-6772 related to OpenRC


  2. some questions regarding @drobbins announcement: https://forums.funtoo.org/topic/2997-selinux-packages-updated-in-14-and-selinux-next-development/

    1. If I (as funtoo user) report bugs (found on funtoo machine) to Gentoo Hardened SELinux project . Do I also need to report them to bugs.funtoo.org? (example: FL-6753 and 697564). Thats not a problem for me but I don't know what about devs?

    2. I think that I found one sec-policy bug related to nvidia which I suspect is funtoo specific.

        I connect it with this change

    Quote

    Another important change for NVIDIA proprietary graphics users -- a new package nvidia-kernel-modules is now used to install the NVIDIA kernel modules. nvidia-drivers will only install the userland components.

        but I can't tell if it's valid for Gentoo and should I bother @perfinion from #gentoo-hardened

    EDIT: regarding Q#2 if someone is interested in logs:

    I believie it's /dev/nvidiactl related

    $ startx
    
    # cat /var/log/Xorg.0.log
    [  4173.919] 
    X.Org X Server 1.20.5
    X Protocol Version 11, Revision 0
    [  4173.919] Build Operating System: Linux 4.19.67_p2-r1-debian-sources-lts x86_64 Gentoo
    [  4173.920] Current Operating System: Linux pc 4.19.67_p2-r1-debian-sources-lts #1 SMP Fri Sep 27 13:23:14 CEST 2019 x86_64
    [  4173.920] Kernel command line: BOOT_IMAGE=/kernel-debian-sources-lts-x86_64-4.19.67_p2-r1 real_root=/dev/sdc6 rootfstype=ext4 rand_id=FI38EHQ7 pci=nocrs security=selinux enforcing=1
    [  4173.921] Build Date: 11 October 2019  06:19:53PM
    [  4173.921]  
    [  4173.921] Current version of pixman: 0.34.0
    [  4173.921] 	Before reporting problems, check http://wiki.x.org
    	to make sure that you have the latest version.
    [  4173.921] Markers: (--) probed, (**) from config file, (==) default setting,
    	(++) from command line, (!!) notice, (II) informational,
    	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
    [  4173.922] (==) Log file: "/var/log/Xorg.0.log", Time: Sun Oct 13 11:44:49 2019
    [  4173.923] (==) Using config file: "/etc/X11/xorg.conf"
    [  4173.923] (==) Using config directory: "/etc/X11/xorg.conf.d"
    [  4173.923] (==) Using system config directory "/usr/share/X11/xorg.conf.d"
    [  4173.924] (==) ServerLayout "X.org Configured"
    [  4173.924] (**) |-->Screen "Screen0" (0)
    [  4173.924] (**) |   |-->Monitor "Monitor0"
    [  4173.924] (**) |   |-->Device "Card0"
    [  4173.924] (**) |-->Input Device "Mouse0"
    [  4173.924] (**) |-->Input Device "Keyboard0"
    [  4173.924] (==) Automatically adding devices
    [  4173.924] (==) Automatically enabling devices
    [  4173.924] (==) Automatically adding GPU devices
    [  4173.924] (==) Max clients allowed: 256, resource mask: 0x1fffff
    [  4173.924] (**) FontPath set to:
    	/usr/share/fonts/misc/,
    	/usr/share/fonts/TTF/,
    	/usr/share/fonts/OTF/,
    	/usr/share/fonts/Type1/,
    	/usr/share/fonts/100dpi/,
    	/usr/share/fonts/75dpi/,
    	/usr/share/fonts/misc/,
    	/usr/share/fonts/TTF/,
    	/usr/share/fonts/OTF/,
    	/usr/share/fonts/Type1/,
    	/usr/share/fonts/100dpi/,
    	/usr/share/fonts/75dpi/
    [  4173.924] (**) ModulePath set to "/usr/lib64/xorg/modules"
    [  4173.924] (WW) Hotplugging is on, devices using drivers 'kbd', 'mouse' or 'vmmouse' will be disabled.
    [  4173.924] (WW) Disabling Mouse0
    [  4173.924] (WW) Disabling Keyboard0
    [  4173.924] (II) Loader magic: 0x5631abd5ac40
    [  4173.924] (II) Module ABI versions:
    [  4173.924] 	X.Org ANSI C Emulation: 0.4
    [  4173.924] 	X.Org Video Driver: 24.0
    [  4173.924] 	X.Org XInput driver : 24.1
    [  4173.924] 	X.Org Server Extension : 10.0
    [  4173.924] (II) xfree86: Adding drm device (/dev/dri/card0)
    [  4173.927] (**) OutputClass "nvidia" ModulePath extended to "/opt/nvidia/nvidia-drivers-435.21/lib64,/opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules,/opt/nvidia/nvidia-drivers-435.21/lib64/opengl/nvidia/extensions,/usr/lib64/xorg/modules"
    [  4173.930] (--) PCI:*(1@0:0:0) 10de:1c03:10de:1c03 rev 161, Mem @ 0xe9000000/16777216, 0xd0000000/268435456, 0xe0000000/33554432, I/O @ 0x00003000/128, BIOS @ 0x????????/131072
    [  4173.930] (II) "glx" will be loaded. This was enabled by default and also specified in the config file.
    [  4173.930] (II) LoadModule: "glx"
    [  4173.930] (II) Loading /usr/lib64/xorg/modules/extensions/libglx.so
    [  4173.931] (II) Module glx: vendor="X.Org Foundation"
    [  4173.931] 	compiled for 1.20.5, module version = 1.0.0
    [  4173.931] 	ABI class: X.Org Server Extension, version 10.0
    [  4173.931] (II) LoadModule: "nvidia"
    [  4173.932] (II) Loading /opt/nvidia/nvidia-drivers-435.21/lib64/xorg/modules/drivers/nvidia_drv.so
    [  4173.932] (II) Module nvidia: vendor="NVIDIA Corporation"
    [  4173.932] 	compiled for 1.6.99.901, module version = 1.0.0
    [  4173.932] 	Module class: X.Org Video Driver
    [  4173.932] (II) NVIDIA dlloader X Driver  435.21  Sun Aug 25 08:17:08 CDT 2019
    [  4173.932] (II) NVIDIA Unified Driver for all Supported NVIDIA GPUs
    [  4173.932] (--) using VT number 7
    
    [  4173.932] (WW) xf86OpenConsole: setpgid failed: Invalid argument
    [  4173.932] (WW) xf86OpenConsole: setsid failed: Operation not permitted
    [  4173.975] (II) Loading sub module "fb"
    [  4173.975] (II) LoadModule: "fb"
    [  4173.976] (II) Loading /usr/lib64/xorg/modules/libfb.so
    [  4173.976] (II) Module fb: vendor="X.Org Foundation"
    [  4173.976] 	compiled for 1.20.5, module version = 1.0.0
    [  4173.976] 	ABI class: X.Org ANSI C Emulation, version 0.4
    [  4173.976] (II) Loading sub module "wfb"
    [  4173.976] (II) LoadModule: "wfb"
    [  4173.977] (II) Loading /usr/lib64/xorg/modules/libwfb.so
    [  4173.977] (II) Module wfb: vendor="X.Org Foundation"
    [  4173.977] 	compiled for 1.20.5, module version = 1.0.0
    [  4173.977] 	ABI class: X.Org ANSI C Emulation, version 0.4
    [  4173.977] (II) Loading sub module "ramdac"
    [  4173.977] (II) LoadModule: "ramdac"
    [  4173.977] (II) Module "ramdac" already built-in
    [  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
    [  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
    [  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
    [  4173.977] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
    [  4173.977] (EE) NVIDIA:     system's kernel log for additional error messages and
    [  4173.977] (EE) NVIDIA:     consult the NVIDIA README for details.
    [  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
    [  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
    [  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
    [  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
    [  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
    [  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
    [  4173.978] (EE) NVIDIA: Failed to initialize the NVIDIA kernel module. Please see the
    [  4173.978] (EE) NVIDIA:     system's kernel log for additional error messages and
    [  4173.978] (EE) NVIDIA:     consult the NVIDIA README for details.
    [  4173.978] (EE) No devices detected.
    [  4173.978] (EE) 
    Fatal server error:
    [  4173.978] (EE) no screens found(EE) 
    [  4173.978] (EE) 
    Please consult the The X.Org Foundation support 
    	 at http://wiki.x.org
     for help. 
    [  4173.978] (EE) Please also check the log file at "/var/log/Xorg.0.log" for additional information.
    [  4173.978] (EE) 
    [  4174.074] (EE) Server terminated with error (1). Closing log file.
    # cat /var/log/audit/audit.log
    type=AVC msg=audit(1570959889.745:2325): avc:  denied  { read } for  pid=7911 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
    type=SYSCALL msg=audit(1570959889.745:2325): arch=c000003e syscall=21 success=no exit=-13 a0=7fffc6865100 a1=4 a2=7fffc6865106 a3=1 items=1 ppid=7910 pid=7911 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
    type=CWD msg=audit(1570959889.745:2325): cwd="/home/kuba"
    type=PATH msg=audit(1570959889.745:2325): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=PROCTITLE msg=audit(1570959889.745:2325): proctitle=7861757468006C6973740070633A30
    type=AVC msg=audit(1570959889.745:2326): avc:  denied  { read } for  pid=7913 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
    type=SYSCALL msg=audit(1570959889.745:2326): arch=c000003e syscall=21 success=no exit=-13 a0=7ffe1358c600 a1=4 a2=7ffe1358c606 a3=1 items=1 ppid=7898 pid=7913 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
    type=CWD msg=audit(1570959889.745:2326): cwd="/home/kuba"
    type=PATH msg=audit(1570959889.745:2326): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=PROCTITLE msg=audit(1570959889.745:2326): proctitle=7861757468002D71
    type=AVC msg=audit(1570959889.765:2327): avc:  denied  { getpgid } for  pid=7915 comm="X" scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:staff_t tclass=process permissive=0
    type=SYSCALL msg=audit(1570959889.765:2327): arch=c000003e syscall=121 success=no exit=-13 a0=1eea a1=7fff69fd9da0 a2=3 a3=5631abb3752d items=0 ppid=7914 pid=7915 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="X" exe="/usr/bin/Xorg" subj=staff_u:staff_r:xserver_t key=(null)
    type=PROCTITLE msg=audit(1570959889.765:2327): proctitle=2F7573722F62696E2F58002D6E6F6C697374656E00746370003A30002D61757468002F686F6D652F6B7562612F2E736572766572617574682E37383938
    type=AVC msg=audit(1570959889.809:2328): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.809:2329): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2330): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2331): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2332): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2333): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2334): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2335): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2336): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959889.813:2337): avc:  denied  { getattr } for  pid=7915 comm="X" path="/dev/nvidiactl" dev="devtmpfs" ino=20826 scontext=staff_u:staff_r:xserver_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=0
    type=AVC msg=audit(1570959904.753:2338): avc:  denied  { read } for  pid=7919 comm="xauth" name="unix" dev="proc" ino=4026532051 scontext=staff_u:staff_r:xauth_t tcontext=system_u:object_r:proc_net_t tclass=file permissive=0
    type=SYSCALL msg=audit(1570959904.753:2338): arch=c000003e syscall=21 success=no exit=-13 a0=7fff56b3b2f0 a1=4 a2=7fff56b3b2f6 a3=1 items=1 ppid=7898 pid=7919 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=tty3 ses=6 comm="xauth" exe="/usr/bin/xauth" subj=staff_u:staff_r:xauth_t key=(null)
    type=CWD msg=audit(1570959904.753:2338): cwd="/home/kuba"
    type=PATH msg=audit(1570959904.753:2338): item=0 name="/proc/net/unix" inode=4026532051 dev=00:04 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
    type=PROCTITLE msg=audit(1570959904.753:2338): proctitle=78617574680072656D6F76650070633A30003A30
    # audit2why -al | grep xserver
    allow staff_t xserver_tmp_t:file map;
    #============= xserver_t ==============
    allow xserver_t chromium_t:file { open read };
    allow xserver_t device_t:chr_file { getattr ioctl map open read write };
    allow xserver_t staff_t:file { open read };
    allow xserver_t urandom_device_t:chr_file { getattr ioctl open read };
    allow xserver_t xdm_t:file { open read };
    allow xserver_t xscreensaver_t:file { open read };
    allow xserver_t xserver_tmp_t:file map;

     


  3. hm.. looks like it's described here: https://www.funtoo.org/Package:NVIDIA_Linux_Display_Drivers

    Quote

    Once the new drivers are installed, you will notice that eselect opengl will display xorg-x11. This is OK! With the new drivers, the libglvnd package now provides libGL and brokers the GL calls to the appropriate underlying hardware-specific library, making eselect opengl redundant. We may fix this is the production release so that eselect opengl shows glvnd instead, to avoid confusion.


    @temptorsent could you pls comment is it still expected behavior?


  4. I dont see nvidia in eselect opengl list and eselect opencl list

    # eselect opengl list
    Available OpenGL implementations:
      [1]   xorg-x11 *
    # eselect opencl list
    Available OpenCL implementations:
      [1]   ocl-icd *
    # epro show
    
    === Enabled Profiles: ===
    
            arch: x86-64bit
           build: current
         subarch: core2_64
          flavor: desktop
         mix-ins: lxde
         mix-ins: gfxcard-nvidia
    
    (...)
    # emerge -pv nvidia-kernel-modules nvidia-drivers
    
    These are the packages that would be merged, in order:
    
    Calculating dependencies... done!
    [ebuild   R    ] x11-drivers/nvidia-drivers-430.26-r2:0/430::core-gl-kit  USE="X compat32 cuda egl encodeapi glvnd gpgpu nvcuvid nvfbc nvifr nvml nvpd opencl opengl opticalflow optix raytracing static-libs tools uvm vdpau wayland xdriver xutils -abi_riscv_lp64 -abi_riscv_lp64d -acpi -driver" 0 KiB
    [ebuild   R    ] x11-drivers/nvidia-kernel-modules-430.26:0/430::core-gl-kit  USE="kms uvm -abi_riscv_lp64 -abi_riscv_lp64d" 0 KiB
    
    Total: 2 packages (2 reinstalls), Size of downloads: 0 KiB
    # lsmod | grep nvidia
    nvidia_drm             45056  2
    nvidia_modeset       1081344  3 nvidia_drm
    nvidia              18395136  83 nvidia_modeset
    drm_kms_helper        204800  1 nvidia_drm
    drm                   491520  5 drm_kms_helper,nvidia_drm
    ipmi_msghandler        65536  2 ipmi_devintf,nvidia

    But looking at the performance when I watch 1080p movie or glxgears I think that nvidia is used - but I'm not 100% sure:

    # glxgears 
    Running synchronized to the vertical refresh.  The framerate should be
    approximately the same as the monitor refresh rate.
    302 frames in 5.0 seconds = 60.241 FPS
    300 frames in 5.0 seconds = 59.883 FPS
    300 frames in 5.0 seconds = 59.883 FPS

     


  5. I'm sandboxing some applications and I want to have a sound. I did what's written here: https://wiki.gentoo.org/wiki/Simple_sandbox#Configure_Firefox_to_output_sound_to_larry.27s_PulseAudio_daemon

    echo -e ".include /etc/pulse/default.pa\nload-module module-native-protocol-unix auth-anonymous=1 socket=/tmp/pulse-socket" > ~larry/.config/pulse/default.pa

    but I dont like that /tmp/pulse-socket has 777 (rwxrwxrwx) permissions. 

    I found this link: https://gist.github.com/Earnestly/4acc782087c0a9d9db58 created pulseaudio user, added other users to that group and changed `auth-anonymous=1` to `auth-group=pulseaudio` but still I have 777 (rwxrwxrwx) permissions on /tmp/pulse-socket

     

    How can I change the permissions to e.g. 770? Is it even a good idea to "sandbox" webrowser or media player like that? (https://bugs.funtoo.org/browse/FL-6453)


  6. one more note. If someone plans to play with yubikey-personalization-gui - adding /etc/udev/rules.d/69-yubikey.rules is also needed: https://github.com/Yubico/yubikey-personalization/blob/master/69-yubikey.rules

    ACTION!="add|change", GOTO="yubico_end"
    
    # Udev rules for letting the console user access the Yubikey USB
    # device node, needed for challenge/response to work correctly.
    
    # Yubico Yubikey II
    ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", \
        ENV{ID_SECURITY_TOKEN}="1"
    
    LABEL="yubico_end"

     


  7. thank you very much! the only thing that I had to do to work with YubiKey on google-chrome was to add this file https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules to the /etc/udev/rules.dInstalling pam_u2f yubikey-personalization-gui yubikey-manager-qt was not needed at all

    # cat /etc/udev/rules.d/70-u2f.rules 
    # Copyright (C) 2013-2015 Yubico AB
    #
    # This program is free software; you can redistribute it and/or modify it
    # under the terms of the GNU Lesser General Public License as published by
    # the Free Software Foundation; either version 2.1, or (at your option)
    # any later version.
    #
    # This program is distributed in the hope that it will be useful, but
    # WITHOUT ANY WARRANTY; without even the implied warranty of
    # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser
    # General Public License for more details.
    #
    # You should have received a copy of the GNU Lesser General Public License
    # along with this program; if not, see <http://www.gnu.org/licenses/>.
    
    # this udev file should be used with udev 188 and newer
    ACTION!="add|change", GOTO="u2f_end"
    
    # Yubico YubiKey
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Happlink (formerly Plug-Up) Security KEY
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2581", ATTRS{idProduct}=="f1d0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Neowave Keydo and Keydo AES
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1e0d", ATTRS{idProduct}=="f1d0|f1ae", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # HyperSecu HyperFIDO, KeyID U2F
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e|2ccf", ATTRS{idProduct}=="0880", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Feitian ePass FIDO, BioPass FIDO2, KeyID U2F
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="096e", ATTRS{idProduct}=="0850|0852|0853|0854|0856|0858|085a|085b|085d", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # JaCarta U2F
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="24dc", ATTRS{idProduct}=="0101|0501", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # U2F Zero
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="10c4", ATTRS{idProduct}=="8acf", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # VASCO SeccureClick
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1a44", ATTRS{idProduct}=="00bb", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Bluink Key
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2abe", ATTRS{idProduct}=="1002", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Thetis Key
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1ea8", ATTRS{idProduct}=="f025", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Nitrokey FIDO U2F
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="20a0", ATTRS{idProduct}=="4287", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Google Titan U2F
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="5026", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Tomu board + chopstx U2F + SoloKeys
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="cdab|a2ca", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # SoloKeys
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="5070|50b0", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Trezor
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Ledger Nano S and Nano X
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="2c97", ATTRS{idProduct}=="0001|0004", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Kensington VeriMark
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="06cb", ATTRS{idProduct}=="0088", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    # Longmai mFIDO
    KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="4c4d", ATTRS{idProduct}=="f703", TAG+="uaccess", GROUP="plugdev", MODE="0660"
    
    LABEL="u2f_end"

     


  8. I can not use my YubiKey 5 NFC on funtoo. The device works on Windows. I was testing it on this webpage: https://demo.yubico.com/webauthn-technical/registration with google-chrome. The green LED is present when I plug the device and after I tap it.

    So far I've installed pam_u2f and added my user to the plugdev group

    $ dmesg | tail
    [ 3058.732019] usb 7-1: new full-speed USB device number 7 using uhci_hcd
    [ 3058.917036] usb 7-1: New USB device found, idVendor=1050, idProduct=0407
    [ 3058.917039] usb 7-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
    [ 3058.917041] usb 7-1: Product: YubiKey OTP+FIDO+CCID
    [ 3058.917043] usb 7-1: Manufacturer: Yubico
    [ 3058.923627] input: Yubico YubiKey OTP+FIDO+CCID as /devices/pci0000:00/0000:00:1d.1/usb7/7-1/7-1:1.0/0003:1050:0407.000F/input/input18
    [ 3058.980342] hid-generic 0003:1050:0407.000F: input,hidraw4: USB HID v1.10 Keyboard [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:1d.1-1/input0
    [ 3058.984166] hid-generic 0003:1050:0407.0010: hiddev0,hidraw5: USB HID v1.10 Device [Yubico YubiKey OTP+FIDO+CCID] on usb-0000:00:1d.1-1/input1
    $ emerge -pv google-chrome pam_u2f
    
    These are the packages that would be merged, in order:
    
    Calculating dependencies... done!
    [ebuild   R    ] www-client/google-chrome-74.0.3729.108-r1::net-kit  L10N="pl -am -ar -bg -bn -ca -cs -da -de -el -en-GB -es -es-419 -et -fa -fi -fil -fr -gu -he -hi -hr -hu -id -it -ja -kn -ko -lt -lv -ml -mr -ms -nb -nl -pt-BR -pt-PT -ro -ru -sk -sl -sr -sv -sw -ta -te -th -tr -uk -vi -zh-CN -zh-TW" 0 KiB
    [ebuild   R    ] sys-auth/pam_u2f-1.0.7::nokit  USE="-debug" 0 KiB
    $ groups
    wheel audio cdrom video plugdev users kuba
    $ emerge --info
    Portage 2.3.47 (python 2.7.15-final-0, funtoo/1.0/linux-gnu/arch/x86-64bit, gcc-7.4.1, glibc-2.27-r6, 4.9.168_p1-debian-sources-lts x86_64)
    =================================================================
    System uname: Linux-4.9.168_p1-debian-sources-lts-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9650_@_3.00GHz-with-gentoo-2.2.2
    KiB Mem:     8110396 total,   4543532 free
    KiB Swap:    2097148 total,   2097148 free
    sh bash 4.4_p18
    ld GNU ld (Gentoo 2.31.1 p3) 2.31.1
    app-shells/bash:          4.4_p18::core-kit
    dev-java/java-config:     2.2.0-r4::java-kit
    dev-lang/perl:            5.26.2-r1::perl-kit
    dev-lang/python:          2.7.15::python-kit, 3.6.6::python-kit
    dev-util/cmake:           3.12.3::core-kit
    sys-apps/baselayout:      2.2.2::core-kit
    sys-apps/openrc:          0.40.2-r2::core-kit
    sys-apps/sandbox:         2.13::core-kit
    sys-devel/autoconf:       2.13::core-kit, 2.69-r4::core-kit
    sys-devel/automake:       1.11.6-r3::core-kit, 1.13.4-r2::core-kit, 1.15.1-r2::core-kit, 1.16.1-r1::core-kit
    sys-devel/binutils:       2.31.1-r1::core-kit
    sys-devel/gcc:            7.4.1-r6::core-kit
    sys-devel/gcc-config:     2.0::core-kit
    sys-devel/libtool:        2.4.6-r5::core-kit
    sys-devel/make:           4.2.1-r4::core-kit
    sys-kernel/linux-headers: 4.14::core-kit (virtual/os-headers)
    sys-libs/glibc:           2.27-r6::core-kit
    Repositories:
    
    nokit
        location: /mnt/rwstorage/var/git/meta-repo/kits/nokit
        masters: core-kit
        priority: -500
    
    core-gl-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/core-gl-kit
        masters: core-kit
        priority: 1
    
    core-hw-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/core-hw-kit
        masters: core-kit
        priority: 1
    
    core-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/core-kit
        masters: core-kit
        priority: 1
        aliases: gentoo
    
    core-server-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/core-server-kit
        masters: core-kit
        priority: 1
    
    core-ui-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/core-ui-kit
        masters: core-kit
        priority: 1
    
    desktop-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/desktop-kit
        masters: core-kit
        priority: 1
    
    dev-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/dev-kit
        masters: core-kit
        priority: 1
    
    editors-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/editors-kit
        masters: core-kit
        priority: 1
    
    games-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/games-kit
        masters: core-kit
        priority: 1
    
    gnome-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/gnome-kit
        masters: core-kit
        priority: 1
    
    haskell-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/haskell-kit
        masters: core-kit
        priority: 1
    
    java-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/java-kit
        masters: core-kit
        priority: 1
    
    kde-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/kde-kit
        masters: core-kit
        priority: 1
    
    lang-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/lang-kit
        masters: core-kit
        priority: 1
    
    lisp-scheme-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/lisp-scheme-kit
        masters: core-kit
        priority: 1
    
    llvm-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/llvm-kit
        masters: core-kit
        priority: 1
    
    media-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/media-kit
        masters: core-kit
        priority: 1
    
    ml-lang-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/ml-lang-kit
        masters: core-kit
        priority: 1
    
    net-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/net-kit
        masters: core-kit
        priority: 1
    
    perl-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/perl-kit
        masters: core-kit
        priority: 1
    
    python-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/python-kit
        masters: core-kit
        priority: 1
    
    python-modules-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/python-modules-kit
        masters: core-kit
        priority: 1
    
    ruby-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/ruby-kit
        masters: core-kit
        priority: 1
    
    rust-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/rust-kit
        masters: core-kit
        priority: 1
    
    science-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/science-kit
        masters: core-kit
        priority: 1
    
    security-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/security-kit
        masters: core-kit
        priority: 1
    
    text-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/text-kit
        masters: core-kit
        priority: 1
    
    xfce-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/xfce-kit
        masters: core-kit
        priority: 1
    
    xorg-kit
        location: /mnt/rwstorage/var/git/meta-repo/kits/xorg-kit
        masters: core-kit
        priority: 1
    
    ACCEPT_KEYWORDS="amd64 ~amd64"
    ACCEPT_LICENSE="* -@EULA Oracle-BCLA-JavaSE"
    CBUILD="x86_64-pc-linux-gnu"
    CFLAGS="-march=native -O2 -pipe"
    CHOST="x86_64-pc-linux-gnu"
    CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"
    CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
    CXXFLAGS="-march=native -O2 -pipe"
    DISTDIR="/var/cache/portage/distfiles"
    FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
    FFLAGS="-march=core2 -O2 -pipe"
    GENTOO_MIRRORS="https://fastpull-us.funtoo.org"
    LANG="en_US.utf8"
    LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed"
    LINGUAS="en_US pl_PL"
    MAKEOPTS="-j5"
    PKGDIR="/var/cache/portage/packages"
    PORTAGE_CONFIGROOT="/"
    PORTAGE_TMPDIR="/var/tmp"
    USE="X a52 aac acl alsa amd64 apng berkdb bluray bzip2 cdda cddb cdio cdr cracklib crypt cuda cups curl cxx dbus dnssd dri dts dvd dvdr dvdread elogind encode exif faac faad ffmpeg flac gdbm gif gpm gstreamer gtk ico iconv icu ieee1394 ios ipod ipv6 jpeg jpeg2k lame libass libguess libmpeg2 mad matroska mjpeg mmx modules mp3 mpeg mtp mudflap ncurses nls nptl nsplugin nvenc nvidia ogg opencl opengl openmp pam pcre pdf png postproc pppd python quicktime readline resolvconf sdl sdl1 session sndfile sse sse2 ssl startup-notification svg taglib tcpd theora tiff truetype twolame udev udisks unicode upower v4l vdpau vorbis vpx wav wavpack webp win32codecs wmf x264 x265 xattr xdg xml xvid zeroconf zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel ice1724 intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias authn_core authz_core socache_shmcb unixd" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2 sse3 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="evdev" KERNEL="linux" L10N="en-US pl" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres9_5" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6 python2_7" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby23 ruby24" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
    Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, ENV_UNSET, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

     


  9. On 4/24/2019 at 8:12 PM, zogg said:

    I'm not even sure if all critical CVEs are fixed by anyone on Funtoo (telling me I can do it - means exactly "fighting with your computer" btw).

    That's interesting and I'm concerned. Does anyone can confirm and/or provide examples?


  10. Thank you for so many answers.

    3 hours ago, savasten said:

    Sorry for the questions?  

    sshd running by default - did you file a bug report?

    Have you all checked out the youtube videos on contributing?

    Lets fix these things.  We are Funtoo, @drobbins@Oleg Vinichenko and other regulars are the directors.  If it is broken fix it. 

    @savasten good point, thanks! FL-6294FL-6295 and FL-6297.

    11 hours ago, nrc said:

    (...) but the "rolling release" model means that you can never truly have a stable system.  On a regular basis something gets rolled in that breaks things badly and you are forced to drop everything and fix it right now to get a working system again.

    If this new stepping release model provides a more stable system that is still more flexible and current than your typical binary release, I think it will be a win.  The key will be keeping updates coming on a regular basis.

    (...)

    And I'm okay with it - I would be even more okay if Funtoo would adopt something like this: https://nodejs.org/en/about/releases/ or make it more visible, because I've searched for it and after 5-10 minutes I stopped to search


  11. So I had to update my desktop system from version 1.2 to 1.3 and I've chosen to do the fresh install from the stage3 (stage3-core2_64-1.3-release-std-2019-02-05). But.. During the process I've noticed some (at least for me) ugly things that I would like to inform developers about:

    TL;DR:

    1. metalog is NOT added to any runlevel by default. I think it should be added to default/boot runlevel by default
    2. sshd IS added to the default runlevel by default. I think it's bad - this should be disabled by default

    ... if you want to read further please be advised that I'll be grumpy from now on:

    1. I've noticed that version 1.3 is out because there were no updates for a while
      • yep it was announced but I'm not checking neither funtoo.org nor forums.funtoo.org on a regular basis - what happened with good old eselect news?
      • I can not find any information when the support for 1.2 version ends - LTS schedule could help with planning the upgrade ... (please consider sth like this: https://nodejs.org/en/about/releases/ )
      • and yeah performing a fresh install is time consuming, at least for a desktop machine - so it would be cool to be aware early that end of support for 1.2 is coming and that it's recommended to do a fresh install
    2. I think that funtoo.org web page should be rearranged. Here is what I mean:
      • there are a lot of useful articles there but often they are hidden and I can find them only via google
      • there should be a section where you can see all of the articles
      • examples: https://www.funtoo.org/Security https://www.funtoo.org/Installing_a_Logger
    3. forums.funtoo.org
      • I was not able to write this post using vanilla firefox-bin-65.0 (w/o any addons)
      • I had to do it by using google-chrome

    ... wow you've came that far now I'll be sentimental:

    1. Gentoo was my first distro back in early 2000s
    2. When Daniel started Funtoo, for me it was something cool, something fresh
    3. I have a feeling that now the Funtoo Project is going in some weird direction (from end user perspective) that is different to what I was used to back in the days.
    4. People on the #funtoo IRC channel used to be more responsive

    I wrote this post in a good faith. I like funtoo but I'm close to the point where I will switch to other distro ... TBH it strongly depends how long and how smooth will be the process of building rest of desktop environment. Ofc everyone has his own point of view but I really wanted to give you some feedback. If I somehow missed something and somebody disagrees - I look forward to know your point of view.

×
×
  • Create New...