| 1 |
Hi everyone, |
| 2 |
|
| 3 |
For a while now, we've been supporting three predefined grsec profiles |
| 4 |
in the hardened-sources kernel. Upstream provides four. These are |
| 5 |
|
| 6 |
GRKERNSEC_LOW |
| 7 |
GRKERNSEC_MEDIUM |
| 8 |
GRKERNSEC_HIGH |
| 9 |
GRKERNSEC_CUSTOM |
| 10 |
|
| 11 |
We've added three which we think are useful to the Gentoo community. |
| 12 |
These are pretty self explanatory: |
| 13 |
|
| 14 |
GRKERNSEC_HARDENED_SERVER |
| 15 |
GRKERNSEC_HARDENED_WORKSTATION |
| 16 |
GRKERNSEC_HARDENED_VIRTUALIZATION |
| 17 |
|
| 18 |
To be clear, the virtualization profile is for the *host*, but in some |
| 19 |
cases applies even for the guest. |
| 20 |
|
| 21 |
The basic difference between these is that only the server has |
| 22 |
GRKERNSEC_IO which messes up Xorg in some cases, and virtualization does |
| 23 |
not have KERNEXEC and UDEREF which often breaks virt hosts. |
| 24 |
|
| 25 |
Upstream has recently added new options which we could not make use of |
| 26 |
until gcc 4.5.* was stabilized. We have now added these options to all |
| 27 |
three predefine Gentoo grsec profiles, as well as having made a few |
| 28 |
other tweaks. Here are the additions: |
| 29 |
|
| 30 |
GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read |
| 31 |
|
| 32 |
GRKERNSEC_AUDIT_PTRACE - add ptrace logging |
| 33 |
|
| 34 |
GRKERNSEC_SETXID - propagate uid/gid/caps to children threads |
| 35 |
|
| 36 |
PAX_RANDKSTACK - randomize all task's kernel stack |
| 37 |
|
| 38 |
PAX_MEMORY_STACKLEAK - zero kernel stack before return |
| 39 |
|
| 40 |
default to OR (rather than BTS) for KERNEXEC |
| 41 |
|
| 42 |
The later may be problematic for people because OR method only works on |
| 43 |
non-binary modules that you compile from source. BTS method will work |
| 44 |
on binary modules, but it does have an overhead. |
| 45 |
|
| 46 |
These changes will begin with hardened-sources-2.6.32-r81 and 3.1.6 |
| 47 |
which I'll put on the tree later today. Let me know if any of these |
| 48 |
changes cause problem. The only profile I expect issues with is |
| 49 |
VIRTUALIZATION which is so hardware dependant that it probably has other |
| 50 |
issues too :( |
| 51 |
|
| 52 |
-- |
| 53 |
Anthony G. Basile, Ph. D. |
| 54 |
Chair of Information Technology |
| 55 |
D'Youville College |
| 56 |
Buffalo, NY 14201 |
| 57 |
(716) 829-8197 |
Archives