Bug#854403: paxctld flags for GNOME

[Michele Orru`]

Package: paxctld
Version: 1.2.1-1
Severity: normal
Tags: patch

Dear Maintainer,

one of the current problems preventing widespread adoption of grsec patches is 
that
the current paxctld.conf doesn't work with a default debian installation: gdm3
totally breaks down, gnome-shell itself segfaults, plus when systemd tries to
reanimate gdm3 the whole thing ends up in a messy, frustrating loop.

On my debian testing, with the following configuration, I can use gnome-shell
with X and wayland. I'm aware the patch is incomplete (for example, I didn't
check all gnome apps), but I'd say this is a start and at least gives the
opportunity of changing things within the comfort of a running desktop.

I am also aware that there exists a similar bug report (#822734) that is hanging
still, but the dude over there seemed more interested in porting the paxctl.conf
from archlinux, and anyways doesn't cover the same binaries I am.

[I hope I'll be able to motivate a bit in more detail why the flags are what
 they are and maybe provide a patch myself soon… in the meantime running on ther
 machines]

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (800, 'testing'), (700, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages paxctld depends on:
ii  libc6     2.24-9
ii  lsb-base  9.20161125

paxctld recommends no packages.

paxctld suggests no packages.

-- Configuration Files:
/etc/paxctld.conf changed:
/usr/bin/grub-script-check      E
/usr/bin/grub-bios-setup        E
/usr/sbin/grub-mkdevicemap      E
/usr/sbin/grub-probe            E
/usr/bin/qemu-alpha             m
/usr/bin/qemu-arm               m
/usr/bin/qemu-armeb             m
/usr/bin/qemu-cris              m
/usr/bin/qemu-i386              m
/usr/bin/qemu-m68k              m
/usr/bin/qemu-microblaze        m
/usr/bin/qemu-microblazeel      m
/usr/bin/qemu-mips              m
/usr/bin/qemu-mips64            m
/usr/bin/qemu-mips64el          m
/usr/bin/qemu-mipsel            m
/usr/bin/qemu-mipsn32           m
/usr/bin/qemu-mipsn32el         m
/usr/bin/qemu-or32              m
/usr/bin/qemu-ppc               m
/usr/bin/qemu-ppc64             m
/usr/bin/qemu-ppc64abi32        m
/usr/bin/qemu-s390x             m
/usr/bin/qemu-sh4               m
/usr/bin/qemu-sh4eb             m
/usr/bin/qemu-sparc             m
/usr/bin/qemu-sparc32plus       m
/usr/bin/qemu-sparc64           m
/usr/bin/qemu-unicore32         m
/usr/bin/qemu-x86_64            m
/usr/bin/qemu-system-aarch64            m
/usr/bin/qemu-system-alpha              m
/usr/bin/qemu-system-arm                m
/usr/bin/qemu-system-cris               m
/usr/bin/qemu-system-i386               m
/usr/bin/qemu-system-lm32               m
/usr/bin/qemu-system-m68k               m
/usr/bin/qemu-system-microblaze         m
/usr/bin/qemu-system-microblazeel       m
/usr/bin/qemu-system-mips               m
/usr/bin/qemu-system-mips64             m
/usr/bin/qemu-system-mips64el           m
/usr/bin/qemu-system-mipsel             m
/usr/bin/qemu-system-moxie              m
/usr/bin/qemu-system-or32               m
/usr/bin/qemu-system-ppc                m
/usr/bin/qemu-system-ppc64              m
/usr/bin/qemu-system-ppcemb             m
/usr/bin/qemu-system-s390x              m
/usr/bin/qemu-system-sh4                m
/usr/bin/qemu-system-sh4eb              m
/usr/bin/qemu-system-sparc              m
/usr/bin/qemu-system-sparc64            m
/usr/bin/qemu-system-unicore32          m
/usr/bin/qemu-system-x86_64             m
/usr/bin/qemu-system-xtensa             m
/usr/bin/qemu-system-xtensaeb           m
/usr/lib/skype/skype            m
/usr/lib32/skype/skype          m
/usr/lib32/ld-linux.so.2        m
/usr/bin/node                   m
/opt/google/chrome/chrome-sandbox       m
/opt/google/chrome/nacl_helper          m
/opt/google/chrome/chrome               m
/usr/lib/chromium-browser/chromium-browser m
/usr/lib/firefox/firefox                m
/usr/lib/firefox/plugin-container       m
/usr/bin/webapp-container       m
/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m
/usr/bin/valgrind               m
/usr/bin/python2.7              E
/usr/bin/python3.5              E
/usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/java           m
/usr/lib/jvm/java-6-sun-1.6.0.10/jre/bin/javaws         m
/usr/lib/jvm/java-6-openjdk/jre/bin/java                m
/usr/lib/jvm/java-6-openjdk/jre/bin/java                m
/usr/lib/jvm/java-8-openjdk/jre/bin/java                m
/lib/rc/bin/lsb2rcconf          E
/usr/bin/gdm3                                                   m
/usr/bin/gnome-session                                          m
/usr/bin/gnome-shell                                            mr
/usr/lib/gnome-session/gnome-session-check-accelerated          mr
/usr/lib/gnome-session/gnome-session-check-accelerated-helper   mr
/usr/lib/gnome-session/gnome-session-failed                     mr
/usr/lib/gdm3/gdm-x-session                                     m
/usr/lib/gdm3/gdm-wayland-session                               m
/usr/bin/pulseaudio                                             m

-- no debconf information