| 1 |
Hi everyone, |
| 2 |
|
| 3 |
Upstream has change the structure of the configuration menu for |
| 4 |
grsec/pax. The new Kconfig is in hardened-sources-3.4.4-r1 which I have |
| 5 |
just added to the tree. I want to alert the list so people are not |
| 6 |
surprised upon upgrade. Here's roughly what has changed: |
| 7 |
|
| 8 |
0. The Grsecurity menu now has the follwoing top level items: |
| 9 |
|
| 10 |
Configuration Method (Automatic/Custom) |
| 11 |
<- to what extent we choose the config for you |
| 12 |
|
| 13 |
Usage Type (Server/Desktop) |
| 14 |
|
| 15 |
Virtualization Type (None/Guest/Host) |
| 16 |
<- is this kernel to be used on a virt guest or virt host or none |
| 17 |
|
| 18 |
... other virt options which are obvious ... |
| 19 |
|
| 20 |
Required Priorities <- Security vs Performance. There are a few |
| 21 |
security options like UDEREF that hit up perf |
| 22 |
|
| 23 |
Customize Configuration <- The above gives you a baseline, |
| 24 |
but you are not locked into anything like previously, |
| 25 |
and you can tweak further here. |
| 26 |
|
| 27 |
1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and |
| 28 |
HARDENED_VIRTUALIZATION. There is no need for them anymore as they are |
| 29 |
pretty much subsumed under the above. With some minor differences: |
| 30 |
|
| 31 |
HARDENED_SERVER => Type=Server, Priority=Security, Virt=None |
| 32 |
HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None |
| 33 |
HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed> |
| 34 |
|
| 35 |
We never did get our HARDENED_VIRTUALIZATION quite right with all the |
| 36 |
possible combinations, so I just went with a lowest common denominator |
| 37 |
which upstream felt should be better refined. Quite rightly so. When I |
| 38 |
started down that path I quickly realized what a quagmire it is. |
| 39 |
|
| 40 |
|
| 41 |
2. I've tried to keep the Gentoo GIDs where possible. There is one bug |
| 42 |
that I've noticed, which I'm passing to upstream. Toggling "Invert GID |
| 43 |
option" under TPE does not toggle between our trusted (GID=10) and our |
| 44 |
untrusted (GID=100) values. You can change them manually, but since in |
| 45 |
Gentoo we want to keep our GIDs in line [1], we need to change |
| 46 |
upstream's default values to ours. |
| 47 |
|
| 48 |
|
| 49 |
3. I really like what upstream has done. Two things in particular: a) |
| 50 |
the granularity of the virt options and 2) the ability to start with |
| 51 |
some baseline Automatic config and then tweak. However, give me |
| 52 |
feedback because we need to make them work for our users. |
| 53 |
|
| 54 |
|
| 55 |
Enjoy! |
| 56 |
|
| 57 |
|
| 58 |
-- |
| 59 |
Anthony G. Basile, Ph.D. |
| 60 |
Gentoo Linux Developer [Hardened] |
| 61 |
E-Mail : blueness@g.o |
| 62 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 63 |
GnuPG ID : D0455535 |
Archives