paxrat
paxrat copied to clipboard
subgraph
Default config file is not re-applied when service is either reloaded or restarted
systemd documents how a program should handle these systemctl commands and what UNIX signals are sent to the process. paxrat should be capable of handling them as expected. The signal Go package is the obvious go-to on implementing this one.
I don't see a problem with implementing this. It would be useful to have the paxrat watcher service respond correctly to signals sent by systemctl.
However, just to clear up something about how paxrat is configured:
The paxrat watcher service (as it is currently deployed) doesn't load the default configuration at all. It is only meant to set PaX flags for torbrowser-launcher whenever a new Tor Browser executable is downloaded and installed. For the rest of the flags, paxrat is invoked as a DPkg::Post-Invoke hook to set flags on executables after they have been updated by the package manager.
I can try to make a PR for this. Might not get time until the weekend to work on it. Anything else specific about how you might want this implemented or should I just use best judgment in implementing this?
I'm using paxrat on Debian Sid with the latest grsec testing kernel compiled with https://github.com/freedomofpress/ansible-role-grsecurity, so it's probably best I test with Subgraph in a VM. How do y'all do testing?
Thanks @fowlslegs , I probably won't have time in the short-term to do it myself.
We test using qemu + kvm, this should get you up and running to install Subgraph OS in a VM:
$ qemu-img create -f qcow2 sgos.qcow2 8G
$ kvm -m 4G -hda sgos.qcow2 -cdrom subgraph-os-alpha_2016-12-30_1.iso -boot d
After completing the installation, start it up like this:
$ kvm -m 4G -hda sgos.qcow2
Just a heads up that I'm spending all my free time on some work relevant to the upcoming Tor meeting, so I won't have time to work on this until April, and it's cool if anyone wants to jump on it. I'll check back in April and maybe try then if it's still open.