Hi hardened users,

Currently, when configuring the hardened kernel, the user is presented
with some predefined Security Levels. (Security options -> Grsecuirty
-> Security Level). Four of these are set by Gentoo

Hardened Gentoo [server]
Hardened Gentoo [server no rbac]
Hardened Gentoo [workstation]
Hardened Gentoo [workstation no rbac]

These are defined so as to maximize security while minimizing breakage
with Gentoo software. I'm proposing to change this to

Hardened Gentoo [server]
Hardened Gentoo [workstation or virtualization host]

One change will be to remove the "no rbac" option which is easily turned
on/off at Security options -> Grsecuirty -> Role Based Access Control
Options -> Disable RBAC system. The default will be on (ie do not
disable rbac). Even if the users doesn't want to use RBAC and still
enables it, there is no harm done since RBAC simply be available but not
used unless turned on by gradm.

The other change will be to add a "virtualization host" option.
Currently these settings are identical to the workstation and so are
coalesced, but may change. I am trying to make the hardened kernel
compatible with VirtualBox and kvm, but there are some security settings
which will most likely *always* break virtualization and will need to be
turned off.

This is work in progress and testing is appreciated. The ebuilds are on
my overlay.


--
Anthony G. Basile, Ph.D.
Gentoo Developer

Am 25.01.2011 13:26, schrieb Anthony G. Basile:
> Hi hardened users,
>
> Currently, when configuring the hardened kernel, the user is presented
> with some predefined Security Levels. (Security options -> Grsecuirty
> -> Security Level). Four of these are set by Gentoo
>
> Hardened Gentoo [server]
> Hardened Gentoo [server no rbac]
> Hardened Gentoo [workstation]
> Hardened Gentoo [workstation no rbac]
>
> These are defined so as to maximize security while minimizing breakage
> with Gentoo software. I'm proposing to change this to
>
> Hardened Gentoo [server]
> Hardened Gentoo [workstation or virtualization host]
>
> One change will be to remove the "no rbac" option which is easily turned
> on/off at Security options -> Grsecuirty -> Role Based Access Control
> Options -> Disable RBAC system. The default will be on (ie do not
> disable rbac). Even if the users doesn't want to use RBAC and still
> enables it, there is no harm done since RBAC simply be available but not
> used unless turned on by gradm.
>
> The other change will be to add a "virtualization host" option.
> Currently these settings are identical to the workstation and so are
> coalesced, but may change. I am trying to make the hardened kernel
> compatible with VirtualBox and kvm, but there are some security settings
> which will most likely *always* break virtualization and will need to be
> turned off.
>
> This is work in progress and testing is appreciated. The ebuilds are on
> my overlay.
>
>

My suggestion, as talked about in IRC:

server profile with UDEREF and KERNEXEC forced on
workstation profile with UDEREF and KERNEXEC default enabled
virtualization profile with UDEREF and KERNEXEC default disabled

While virtualbox and kvm currently have issues with both options, this may change in the future. To
be able to easily test it, those options should not be forced off, but default disabled.

Since most other apps for workstations should work with both options, they should be default
enabled. Since there might be some special issue with some specific desktop app, it should be able
to disable those options, so not forced on for them.

--
Thomas Sachau

Gentoo Linux Developer

25.01.2011 21:19, Thomas Sachau пишет:

> virtualization profile with UDEREF and KERNEXEC default disabled

KVM works fine on x86 with both UDEREF and KERNEXEC enabled, and I've been
explicitly told by some people that they run KVM host with KERNEXEC enabled
on x86_64 without any slowdown. Seems like issues are CPU arch/vendor
dependant here.

25.01.2011 22:14, Pavel Labushev пишет:

> KVM works fine on x86 with both UDEREF and KERNEXEC enabled, and I've been

Forgot to add: on AMD CPUs. I didn't test Intel's.

Hi!

On Tuesday 25 January 2011 15:19:55 Thomas Sachau wrote:
> Am 25.01.2011 13:26, schrieb Anthony G. Basile:
> server profile with UDEREF and KERNEXEC forced on
> workstation profile with UDEREF and KERNEXEC default enabled
> virtualization profile with UDEREF and KERNEXEC default disabled
>
> While virtualbox and kvm currently have issues with both options, this may
> change in the future. To be able to easily test it, those options should
> not be forced off, but default disabled.

Is this also true for XEN-based PV hosts?


Thanks,
Marcel

On Tue, Jan 25, 2011 at 9:20 PM, Marcel Meyer <meyerm@fs.tum.de> wrote:
> Is this also true for XEN-based PV hosts?

Here is the link to related bug:
http://bugs.gentoo.org/show_bug.cgi?id=279795

I have a XEN VPS with hardened gentoo. Kernel doesn`t boot with
KERNEXEC enabled.

On 01/25/2011 09:19 AM, Thomas Sachau wrote:
> Am 25.01.2011 13:26, schrieb Anthony G. Basile:
>> Hi hardened users,
>>
>> Currently, when configuring the hardened kernel, the user is presented
>> with some predefined Security Levels. (Security options -> Grsecuirty
>> -> Security Level). Four of these are set by Gentoo
>>
>> Hardened Gentoo [server]
>> Hardened Gentoo [server no rbac]
>> Hardened Gentoo [workstation]
>> Hardened Gentoo [workstation no rbac]
>>
>> These are defined so as to maximize security while minimizing breakage
>> with Gentoo software. I'm proposing to change this to
>>
>> Hardened Gentoo [server]
>> Hardened Gentoo [workstation or virtualization host]
>>
>> One change will be to remove the "no rbac" option which is easily turned
>> on/off at Security options -> Grsecuirty -> Role Based Access Control
>> Options -> Disable RBAC system. The default will be on (ie do not
>> disable rbac). Even if the users doesn't want to use RBAC and still
>> enables it, there is no harm done since RBAC simply be available but not
>> used unless turned on by gradm.
>>
>> The other change will be to add a "virtualization host" option.
>> Currently these settings are identical to the workstation and so are
>> coalesced, but may change. I am trying to make the hardened kernel
>> compatible with VirtualBox and kvm, but there are some security settings
>> which will most likely *always* break virtualization and will need to be
>> turned off.
>>
>> This is work in progress and testing is appreciated. The ebuilds are on
>> my overlay.
>>
>>
>
> My suggestion, as talked about in IRC:
>
> server profile with UDEREF and KERNEXEC forced on
> workstation profile with UDEREF and KERNEXEC default enabled
> virtualization profile with UDEREF and KERNEXEC default disabled
>
> While virtualbox and kvm currently have issues with both options, this may change in the future. To
> be able to easily test it, those options should not be forced off, but default disabled.
>
> Since most other apps for workstations should work with both options, they should be default
> enabled. Since there might be some special issue with some specific desktop app, it should be able
> to disable those options, so not forced on for them.
>

Hi everyone, its been a while since I visited this issue, but I've
finally made the change. Its still experimental, but preliminary
testing shows that nothing is broken. Hopefully it will also be useful.

Currently, the following ebuilds have the same codebase

hardened-sources-2.6.37-r2 <-> hardened-sources-2.6.37-r3

hardened-sources-2.6.32-r37 <-> hardened-sources-2.6.32-r38

The only difference is the higher rev number has the new predefined
GRSEC/PaX settings.

Please test and let me know.

--
Anthony G. Basile, Ph.D.
Gentoo Developer