Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-hardened
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-hardened@g.o
From: "Anthony G. Basile" <blueness@g.o>
Subject: New Kconfig structure in hardened-sources-3.4.4-r1
Date: Sun, 01 Jul 2012 16:04:36 -0400
Hi everyone,

Upstream has change the structure of the configuration menu for 
grsec/pax.  The new Kconfig is in hardened-sources-3.4.4-r1 which I have 
just added to the tree.  I want to alert the list so people are not 
surprised upon upgrade.  Here's roughly what has changed:

0. The Grsecurity menu now has the follwoing top level items:

Configuration Method (Automatic/Custom)
     <- to what extent we choose the config for you

Usage Type (Server/Desktop)

Virtualization Type (None/Guest/Host)
    <- is this kernel to be used on a virt guest or virt host or none

    ... other virt options which are obvious ...

Required Priorities <- Security vs Performance.  There are a few
     security options like UDEREF that hit up perf

Customize Configuration <- The above gives you a baseline,
     but you are not locked into anything like previously,
     and you can tweak further here.

1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and 
HARDENED_VIRTUALIZATION.  There is no need for them anymore as they are 
pretty much subsumed under the above.  With some minor differences:

HARDENED_SERVER => Type=Server, Priority=Security, Virt=None
HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None
HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed>

We never did get our HARDENED_VIRTUALIZATION quite right with all the 
possible combinations, so I just went with a lowest common denominator 
which upstream felt should be better refined.  Quite rightly so.  When I 
started down that path I quickly realized what a quagmire it is.

2. I've tried to keep the Gentoo GIDs where possible.  There is one bug 
that I've noticed, which I'm passing to upstream.  Toggling "Invert GID 
option" under TPE does not toggle between our trusted (GID=10) and our 
untrusted (GID=100) values.  You can change them manually, but since in 
Gentoo we want to keep our GIDs in line [1], we need to change 
upstream's default values to ours.

3. I really like what upstream has done.  Two things in particular: a) 
the granularity of the virt options and 2) the ability to start with 
some baseline Automatic config and then tweak.  However, give me 
feedback because we need to make them work for our users.


Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@g.o
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535

Help needed
-- Joshua Brindle
Re: Help needed
-- Michael Ihde
Re: Help needed
-- Anthony de Almeida Lopes
Major Compiling Problems
-- Anthony de Almeida Lopes
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Major Compiling Problems
Next by thread:
sshd not working in enforcing mode
Previous by date:
Re: Help needed
Next by date:
sshd not working in enforcing mode

Updated Jul 02, 2012

Summary: Archive of the gentoo-hardened mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.