1 |
Hi everyone, |
2 |
|
3 |
For a while now, we've been supporting three predefined grsec profiles |
4 |
in the hardened-sources kernel. Upstream provides four. These are |
5 |
|
6 |
GRKERNSEC_LOW |
7 |
GRKERNSEC_MEDIUM |
8 |
GRKERNSEC_HIGH |
9 |
GRKERNSEC_CUSTOM |
10 |
|
11 |
We've added three which we think are useful to the Gentoo community. |
12 |
These are pretty self explanatory: |
13 |
|
14 |
GRKERNSEC_HARDENED_SERVER |
15 |
GRKERNSEC_HARDENED_WORKSTATION |
16 |
GRKERNSEC_HARDENED_VIRTUALIZATION |
17 |
|
18 |
To be clear, the virtualization profile is for the *host*, but in some |
19 |
cases applies even for the guest. |
20 |
|
21 |
The basic difference between these is that only the server has |
22 |
GRKERNSEC_IO which messes up Xorg in some cases, and virtualization does |
23 |
not have KERNEXEC and UDEREF which often breaks virt hosts. |
24 |
|
25 |
Upstream has recently added new options which we could not make use of |
26 |
until gcc 4.5.* was stabilized. We have now added these options to all |
27 |
three predefine Gentoo grsec profiles, as well as having made a few |
28 |
other tweaks. Here are the additions: |
29 |
|
30 |
GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read |
31 |
|
32 |
GRKERNSEC_AUDIT_PTRACE - add ptrace logging |
33 |
|
34 |
GRKERNSEC_SETXID - propagate uid/gid/caps to children threads |
35 |
|
36 |
PAX_RANDKSTACK - randomize all task's kernel stack |
37 |
|
38 |
PAX_MEMORY_STACKLEAK - zero kernel stack before return |
39 |
|
40 |
default to OR (rather than BTS) for KERNEXEC |
41 |
|
42 |
The later may be problematic for people because OR method only works on |
43 |
non-binary modules that you compile from source. BTS method will work |
44 |
on binary modules, but it does have an overhead. |
45 |
|
46 |
These changes will begin with hardened-sources-2.6.32-r81 and 3.1.6 |
47 |
which I'll put on the tree later today. Let me know if any of these |
48 |
changes cause problem. The only profile I expect issues with is |
49 |
VIRTUALIZATION which is so hardware dependant that it probably has other |
50 |
issues too :( |
51 |
|
52 |
-- |
53 |
Anthony G. Basile, Ph. D. |
54 |
Chair of Information Technology |
55 |
D'Youville College |
56 |
Buffalo, NY 14201 |
57 |
(716) 829-8197 |