Hi everyone,

For a while now, we've been supporting three predefined grsec profiles
in the hardened-sources kernel. Upstream provides four. These are

GRKERNSEC_LOW
GRKERNSEC_MEDIUM
GRKERNSEC_HIGH
GRKERNSEC_CUSTOM

We've added three which we think are useful to the Gentoo community.
These are pretty self explanatory:

GRKERNSEC_HARDENED_SERVER
GRKERNSEC_HARDENED_WORKSTATION
GRKERNSEC_HARDENED_VIRTUALIZATION

To be clear, the virtualization profile is for the *host*, but in some
cases applies even for the guest.

The basic difference between these is that only the server has
GRKERNSEC_IO which messes up Xorg in some cases, and virtualization does
not have KERNEXEC and UDEREF which often breaks virt hosts.

Upstream has recently added new options which we could not make use of
until gcc 4.5.* was stabilized. We have now added these options to all
three predefine Gentoo grsec profiles, as well as having made a few
other tweaks. Here are the additions:

GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read

GRKERNSEC_AUDIT_PTRACE - add ptrace logging

GRKERNSEC_SETXID - propagate uid/gid/caps to children threads

PAX_RANDKSTACK - randomize all task's kernel stack

PAX_MEMORY_STACKLEAK - zero kernel stack before return

default to OR (rather than BTS) for KERNEXEC

The later may be problematic for people because OR method only works on
non-binary modules that you compile from source. BTS method will work
on binary modules, but it does have an overhead.

These changes will begin with hardened-sources-2.6.32-r81 and 3.1.6
which I'll put on the tree later today. Let me know if any of these
changes cause problem. The only profile I expect issues with is
VIRTUALIZATION which is so hardware dependant that it probably has other
issues too

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26.12.2011 19:57, Anthony G. Basile wrote:
> Hi everyone,
>
> For a while now, we've been supporting three predefined grsec
> profiles in the hardened-sources kernel. Upstream provides four.
> These are
>
> GRKERNSEC_LOW GRKERNSEC_MEDIUM GRKERNSEC_HIGH GRKERNSEC_CUSTOM
>
> We've added three which we think are useful to the Gentoo
> community. These are pretty self explanatory:
>
> GRKERNSEC_HARDENED_SERVER GRKERNSEC_HARDENED_WORKSTATION
> GRKERNSEC_HARDENED_VIRTUALIZATION
>
> To be clear, the virtualization profile is for the *host*, but in
> some cases applies even for the guest.
>
> The basic difference between these is that only the server has
> GRKERNSEC_IO which messes up Xorg in some cases, and virtualization
> does not have KERNEXEC and UDEREF which often breaks virt hosts.
>
> Upstream has recently added new options which we could not make use
> of until gcc 4.5.* was stabilized. We have now added these options
> to all three predefine Gentoo grsec profiles, as well as having
> made a few other tweaks. Here are the additions:
>
> GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read
>
> GRKERNSEC_AUDIT_PTRACE - add ptrace logging
>
> GRKERNSEC_SETXID - propagate uid/gid/caps to children threads
>
> PAX_RANDKSTACK - randomize all task's kernel stack
>
> PAX_MEMORY_STACKLEAK - zero kernel stack before return
>
> default to OR (rather than BTS) for KERNEXEC
>
> The later may be problematic for people because OR method only
> works on non-binary modules that you compile from source. BTS
> method will work on binary modules, but it does have an overhead.
>
> These changes will begin with hardened-sources-2.6.32-r81 and
> 3.1.6 which I'll put on the tree later today. Let me know if any of
> these changes cause problem. The only profile I expect issues with
> is VIRTUALIZATION which is so hardware dependant that it probably
> has other issues too
>

Hello,

I have two (small) problems:

- - GRKERNSEC_SYSFS_RESTRICT seems to kill audio on my laptop (Thinkpad
T510). If I disable it, sound works again (Though I normally use
pulseaudio under gnome, aplay doesn't work under bash (no X started),
eighter).

- - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile
glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops
(because auf the kernelstack - I think).

For now I just have disabled both options.

If you would tell me how to give any information which may help you to
debug it (if needed) you can contact me here or in irc (hvb).

With kind regards,

Hinnerk


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPAX9IAAoJEJwwOFaNFkYcPbAH/0sacjiGwPr6duoh7Nbb28ps
nm9iU1ukOuDMk6IQ8QeDZ3XJnIedv4dGW4aUtLUn1ul9QlUJTN ryTuWGuiEm6+sm
k8Js9qlvMEzVQb3wbryx20gwjytjwKRbIvz8tk4kVWzKxPCVBj TqC/tDNilIeFU0
7+fXtRAe6XDepgZlpOurX/Q/KSQSo7FAahy2F8rrxQ1HLaUa5NncozJGpb+tyVwU
JQr8c32iQZB3dly/hz3E50PVq6vUssUvuL6TR49vyOzwLV7cPZde5cFRfzl80Z6r
1+XRPtLqfCVt92lUdcFS1EWTl1pbUSxTARePViC4zzLGqJZDat klbHbfmI1/sRQ=
=GUnC
-----END PGP SIGNATURE-----

On 2 Jan 2012 at 10:56, Hinnerk van Bruinehsen wrote:

> - - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile
> glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops
> (because auf the kernelstack - I think).

that's interesting, i'd need the oops message (enable kernel symbols in
your config) and your vmlinux (not bzImage) file. you could also try to
apply PaX alone just to be sure it's not a grsec porting issue.

On 01/02/2012 06:14 AM, pageexec@freemail.hu wrote:
> On 2 Jan 2012 at 10:56, Hinnerk van Bruinehsen wrote:
>
>> - - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile
>> glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops
>> (because auf the kernelstack - I think).
>
> that's interesting, i'd need the oops message (enable kernel symbols in
> your config) and your vmlinux (not bzImage) file. you could also try to
> apply PaX alone just to be sure it's not a grsec porting issue.
>

Hinnerk, thanks for the report and don't worry, I'm not stabilizing
these chagnes anytime soon.

The sysfs bug doesn't surprise me. Can you either open or bug or just
report here exactly what programs break and which work. The problem is
the way these programs were written and I'd rather patch them than relax
the sysfs restrictions, if possible. Otherwise I'll relax this on the
WORKSTATION profile.

The randkstack <-> glibc is of concern. If you can open a bug for it
(or at least pass on your kernel config) I'll try to reproduce and help
to get pageexec the details he needs.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535

On Mon, 02 Jan 2012 13:39:45 -0500
"Anthony G. Basile" <blueness@gentoo.org> wrote:

> On 01/02/2012 06:14 AM, pageexec@freemail.hu wrote:
> > On 2 Jan 2012 at 10:56, Hinnerk van Bruinehsen wrote:
> >
> >> - - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile
> >> glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops
> >> (because auf the kernelstack - I think).
> >
> > that's interesting, i'd need the oops message (enable kernel
> > symbols in your config) and your vmlinux (not bzImage) file. you
> > could also try to apply PaX alone just to be sure it's not a grsec
> > porting issue.
> >
>
> Hinnerk, thanks for the report and don't worry, I'm not stabilizing
> these chagnes anytime soon.
>
> The sysfs bug doesn't surprise me. Can you either open or bug or just
> report here exactly what programs break and which work. The problem
> is the way these programs were written and I'd rather patch them than
> relax the sysfs restrictions, if possible. Otherwise I'll relax this
> on the WORKSTATION profile.
>
> The randkstack <-> glibc is of concern. If you can open a bug for it
> (or at least pass on your kernel config) I'll try to reproduce and
> help to get pageexec the details he needs.
>
>

I just GRKERNSEC_SYSFS_RESTRICT on the virtualization profile. Alsa is
working fine for me. Can't test pulse though :|

--
Matthew Thode (prometheanfire)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02.01.2012 20:45, Matthew Thode (prometheanfire) wrote:
> On Mon, 02 Jan 2012 13:39:45 -0500 "Anthony G. Basile"
> <blueness@gentoo.org> wrote:
>
>> On 01/02/2012 06:14 AM, pageexec@freemail.hu wrote:
>>> On 2 Jan 2012 at 10:56, Hinnerk van Bruinehsen wrote:
>>>
>>>> - - with PAX_RANDKSTACK enabled I'm not able to sucessfully
>>>> compile glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I
>>>> get an oops (because auf the kernelstack - I think).
>>>
>>> that's interesting, i'd need the oops message (enable kernel
>>> symbols in your config) and your vmlinux (not bzImage) file.
>>> you could also try to apply PaX alone just to be sure it's not
>>> a grsec porting issue.
>>>
>>
>> Hinnerk, thanks for the report and don't worry, I'm not
>> stabilizing these chagnes anytime soon.
>>
>> The sysfs bug doesn't surprise me. Can you either open or bug or
>> just report here exactly what programs break and which work. The
>> problem is the way these programs were written and I'd rather
>> patch them than relax the sysfs restrictions, if possible.
>> Otherwise I'll relax this on the WORKSTATION profile.
>>
>> The randkstack <-> glibc is of concern. If you can open a bug
>> for it (or at least pass on your kernel config) I'll try to
>> reproduce and help to get pageexec the details he needs.
>>
>>
>
> I just GRKERNSEC_SYSFS_RESTRICT on the virtualization profile.
> Alsa is working fine for me. Can't test pulse though :|
>

pageexec wrote a patch that fixed the randkstack issue.

I'll investigate the issue concerning GRKERNSEC_SYSFS_RESTRICT and
sound output when I have a little bit more spare time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPArglAAoJEJwwOFaNFkYc++oH/1HHVDl1kRLZ4sdP3tyjPVGj
U2BT2f/od9G+sUXjgYpsKxrGd1VraISapD4+2KxYHNEFHg3IHWJevtgE1 GJ7D4g3
WGRG8FTlRL9l+7qcGPN0+s+EMUiWpDD8Q0LrOrT3cy26iX2TJ7 hH60DwOKKI/KMv
ZXWt1qseygzLjgnX/FbY1iY80FEOtIjSe1Q4POQ071+aBdJQtmEfcoOrSQKkKYst
UM9ucrq61I3/nTskjlqdxRsG0nT7Rpp7yZiTglZfFGleC3EB/2PhevsFgJ9PI+XN
ZilIDGhya9R46Gd8S/KxyghsvTM5Br/qbzlzFYw0uHPQAEkPt90++KohKEB59b4=
=jV1i
-----END PGP SIGNATURE-----