| 1 |
Am 25.01.2011 13:26, schrieb Anthony G. Basile: |
| 2 |
> Hi hardened users, |
| 3 |
> |
| 4 |
> Currently, when configuring the hardened kernel, the user is presented |
| 5 |
> with some predefined Security Levels. (Security options -> Grsecuirty |
| 6 |
> -> Security Level). Four of these are set by Gentoo |
| 7 |
> |
| 8 |
> Hardened Gentoo [server] |
| 9 |
> Hardened Gentoo [server no rbac] |
| 10 |
> Hardened Gentoo [workstation] |
| 11 |
> Hardened Gentoo [workstation no rbac] |
| 12 |
> |
| 13 |
> These are defined so as to maximize security while minimizing breakage |
| 14 |
> with Gentoo software. I'm proposing to change this to |
| 15 |
> |
| 16 |
> Hardened Gentoo [server] |
| 17 |
> Hardened Gentoo [workstation or virtualization host] |
| 18 |
> |
| 19 |
> One change will be to remove the "no rbac" option which is easily turned |
| 20 |
> on/off at Security options -> Grsecuirty -> Role Based Access Control |
| 21 |
> Options -> Disable RBAC system. The default will be on (ie do not |
| 22 |
> disable rbac). Even if the users doesn't want to use RBAC and still |
| 23 |
> enables it, there is no harm done since RBAC simply be available but not |
| 24 |
> used unless turned on by gradm. |
| 25 |
> |
| 26 |
> The other change will be to add a "virtualization host" option. |
| 27 |
> Currently these settings are identical to the workstation and so are |
| 28 |
> coalesced, but may change. I am trying to make the hardened kernel |
| 29 |
> compatible with VirtualBox and kvm, but there are some security settings |
| 30 |
> which will most likely *always* break virtualization and will need to be |
| 31 |
> turned off. |
| 32 |
> |
| 33 |
> This is work in progress and testing is appreciated. The ebuilds are on |
| 34 |
> my overlay. |
| 35 |
> |
| 36 |
> |
| 37 |
|
| 38 |
My suggestion, as talked about in IRC: |
| 39 |
|
| 40 |
server profile with UDEREF and KERNEXEC forced on |
| 41 |
workstation profile with UDEREF and KERNEXEC default enabled |
| 42 |
virtualization profile with UDEREF and KERNEXEC default disabled |
| 43 |
|
| 44 |
While virtualbox and kvm currently have issues with both options, this may change in the future. To |
| 45 |
be able to easily test it, those options should not be forced off, but default disabled. |
| 46 |
|
| 47 |
Since most other apps for workstations should work with both options, they should be default |
| 48 |
enabled. Since there might be some special issue with some specific desktop app, it should be able |
| 49 |
to disable those options, so not forced on for them. |
| 50 |
|
| 51 |
-- |
| 52 |
Thomas Sachau |
| 53 |
|
| 54 |
Gentoo Linux Developer |
Archives