1 |
On 01/25/2011 09:19 AM, Thomas Sachau wrote: |
2 |
> Am 25.01.2011 13:26, schrieb Anthony G. Basile: |
3 |
>> Hi hardened users, |
4 |
>> |
5 |
>> Currently, when configuring the hardened kernel, the user is presented |
6 |
>> with some predefined Security Levels. (Security options -> Grsecuirty |
7 |
>> -> Security Level). Four of these are set by Gentoo |
8 |
>> |
9 |
>> Hardened Gentoo [server] |
10 |
>> Hardened Gentoo [server no rbac] |
11 |
>> Hardened Gentoo [workstation] |
12 |
>> Hardened Gentoo [workstation no rbac] |
13 |
>> |
14 |
>> These are defined so as to maximize security while minimizing breakage |
15 |
>> with Gentoo software. I'm proposing to change this to |
16 |
>> |
17 |
>> Hardened Gentoo [server] |
18 |
>> Hardened Gentoo [workstation or virtualization host] |
19 |
>> |
20 |
>> One change will be to remove the "no rbac" option which is easily turned |
21 |
>> on/off at Security options -> Grsecuirty -> Role Based Access Control |
22 |
>> Options -> Disable RBAC system. The default will be on (ie do not |
23 |
>> disable rbac). Even if the users doesn't want to use RBAC and still |
24 |
>> enables it, there is no harm done since RBAC simply be available but not |
25 |
>> used unless turned on by gradm. |
26 |
>> |
27 |
>> The other change will be to add a "virtualization host" option. |
28 |
>> Currently these settings are identical to the workstation and so are |
29 |
>> coalesced, but may change. I am trying to make the hardened kernel |
30 |
>> compatible with VirtualBox and kvm, but there are some security settings |
31 |
>> which will most likely *always* break virtualization and will need to be |
32 |
>> turned off. |
33 |
>> |
34 |
>> This is work in progress and testing is appreciated. The ebuilds are on |
35 |
>> my overlay. |
36 |
>> |
37 |
>> |
38 |
> |
39 |
> My suggestion, as talked about in IRC: |
40 |
> |
41 |
> server profile with UDEREF and KERNEXEC forced on |
42 |
> workstation profile with UDEREF and KERNEXEC default enabled |
43 |
> virtualization profile with UDEREF and KERNEXEC default disabled |
44 |
> |
45 |
> While virtualbox and kvm currently have issues with both options, this may change in the future. To |
46 |
> be able to easily test it, those options should not be forced off, but default disabled. |
47 |
> |
48 |
> Since most other apps for workstations should work with both options, they should be default |
49 |
> enabled. Since there might be some special issue with some specific desktop app, it should be able |
50 |
> to disable those options, so not forced on for them. |
51 |
> |
52 |
|
53 |
Hi everyone, its been a while since I visited this issue, but I've |
54 |
finally made the change. Its still experimental, but preliminary |
55 |
testing shows that nothing is broken. Hopefully it will also be useful. |
56 |
|
57 |
Currently, the following ebuilds have the same codebase |
58 |
|
59 |
hardened-sources-2.6.37-r2 <-> hardened-sources-2.6.37-r3 |
60 |
|
61 |
hardened-sources-2.6.32-r37 <-> hardened-sources-2.6.32-r38 |
62 |
|
63 |
The only difference is the higher rev number has the new predefined |
64 |
GRSEC/PaX settings. |
65 |
|
66 |
Please test and let me know. |
67 |
|
68 |
-- |
69 |
Anthony G. Basile, Ph.D. |
70 |
Gentoo Developer |