-----BEGIN PGP SIGNED MESSAGE-----
On 26.12.2011 19:57, Anthony G. Basile wrote:
> Hi everyone,
> For a while now, we've been supporting three predefined grsec
> profiles in the hardened-sources kernel. Upstream provides four.
> These are
> GRKERNSEC_LOW GRKERNSEC_MEDIUM GRKERNSEC_HIGH GRKERNSEC_CUSTOM
> We've added three which we think are useful to the Gentoo
> community. These are pretty self explanatory:
> GRKERNSEC_HARDENED_SERVER GRKERNSEC_HARDENED_WORKSTATION
> To be clear, the virtualization profile is for the *host*, but in
> some cases applies even for the guest.
> The basic difference between these is that only the server has
> GRKERNSEC_IO which messes up Xorg in some cases, and virtualization
> does not have KERNEXEC and UDEREF which often breaks virt hosts.
> Upstream has recently added new options which we could not make use
> of until gcc 4.5.* was stabilized. We have now added these options
> to all three predefine Gentoo grsec profiles, as well as having
> made a few other tweaks. Here are the additions:
> GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read
> GRKERNSEC_AUDIT_PTRACE - add ptrace logging
> GRKERNSEC_SETXID - propagate uid/gid/caps to children threads
> PAX_RANDKSTACK - randomize all task's kernel stack
> PAX_MEMORY_STACKLEAK - zero kernel stack before return
> default to OR (rather than BTS) for KERNEXEC
> The later may be problematic for people because OR method only
> works on non-binary modules that you compile from source. BTS
> method will work on binary modules, but it does have an overhead.
> These changes will begin with hardened-sources-2.6.32-r81 and
> 3.1.6 which I'll put on the tree later today. Let me know if any of
> these changes cause problem. The only profile I expect issues with
> is VIRTUALIZATION which is so hardware dependant that it probably
> has other issues too
I have two (small) problems:
- - GRKERNSEC_SYSFS_RESTRICT seems to kill audio on my laptop (Thinkpad
T510). If I disable it, sound works again (Though I normally use
pulseaudio under gnome, aplay doesn't work under bash (no X started),
- - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile
glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops
(because auf the kernelstack - I think).
For now I just have disabled both options.
If you would tell me how to give any information which may help you to
debug it (if needed) you can contact me here or in irc (hvb).
With kind regards,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----