| 1 |
On 01/25/2011 09:19 AM, Thomas Sachau wrote: |
| 2 |
> Am 25.01.2011 13:26, schrieb Anthony G. Basile: |
| 3 |
>> Hi hardened users, |
| 4 |
>> |
| 5 |
>> Currently, when configuring the hardened kernel, the user is presented |
| 6 |
>> with some predefined Security Levels. (Security options -> Grsecuirty |
| 7 |
>> -> Security Level). Four of these are set by Gentoo |
| 8 |
>> |
| 9 |
>> Hardened Gentoo [server] |
| 10 |
>> Hardened Gentoo [server no rbac] |
| 11 |
>> Hardened Gentoo [workstation] |
| 12 |
>> Hardened Gentoo [workstation no rbac] |
| 13 |
>> |
| 14 |
>> These are defined so as to maximize security while minimizing breakage |
| 15 |
>> with Gentoo software. I'm proposing to change this to |
| 16 |
>> |
| 17 |
>> Hardened Gentoo [server] |
| 18 |
>> Hardened Gentoo [workstation or virtualization host] |
| 19 |
>> |
| 20 |
>> One change will be to remove the "no rbac" option which is easily turned |
| 21 |
>> on/off at Security options -> Grsecuirty -> Role Based Access Control |
| 22 |
>> Options -> Disable RBAC system. The default will be on (ie do not |
| 23 |
>> disable rbac). Even if the users doesn't want to use RBAC and still |
| 24 |
>> enables it, there is no harm done since RBAC simply be available but not |
| 25 |
>> used unless turned on by gradm. |
| 26 |
>> |
| 27 |
>> The other change will be to add a "virtualization host" option. |
| 28 |
>> Currently these settings are identical to the workstation and so are |
| 29 |
>> coalesced, but may change. I am trying to make the hardened kernel |
| 30 |
>> compatible with VirtualBox and kvm, but there are some security settings |
| 31 |
>> which will most likely *always* break virtualization and will need to be |
| 32 |
>> turned off. |
| 33 |
>> |
| 34 |
>> This is work in progress and testing is appreciated. The ebuilds are on |
| 35 |
>> my overlay. |
| 36 |
>> |
| 37 |
>> |
| 38 |
> |
| 39 |
> My suggestion, as talked about in IRC: |
| 40 |
> |
| 41 |
> server profile with UDEREF and KERNEXEC forced on |
| 42 |
> workstation profile with UDEREF and KERNEXEC default enabled |
| 43 |
> virtualization profile with UDEREF and KERNEXEC default disabled |
| 44 |
> |
| 45 |
> While virtualbox and kvm currently have issues with both options, this may change in the future. To |
| 46 |
> be able to easily test it, those options should not be forced off, but default disabled. |
| 47 |
> |
| 48 |
> Since most other apps for workstations should work with both options, they should be default |
| 49 |
> enabled. Since there might be some special issue with some specific desktop app, it should be able |
| 50 |
> to disable those options, so not forced on for them. |
| 51 |
> |
| 52 |
|
| 53 |
Hi everyone, its been a while since I visited this issue, but I've |
| 54 |
finally made the change. Its still experimental, but preliminary |
| 55 |
testing shows that nothing is broken. Hopefully it will also be useful. |
| 56 |
|
| 57 |
Currently, the following ebuilds have the same codebase |
| 58 |
|
| 59 |
hardened-sources-2.6.37-r2 <-> hardened-sources-2.6.37-r3 |
| 60 |
|
| 61 |
hardened-sources-2.6.32-r37 <-> hardened-sources-2.6.32-r38 |
| 62 |
|
| 63 |
The only difference is the higher rev number has the new predefined |
| 64 |
GRSEC/PaX settings. |
| 65 |
|
| 66 |
Please test and let me know. |
| 67 |
|
| 68 |
-- |
| 69 |
Anthony G. Basile, Ph.D. |
| 70 |
Gentoo Developer |
Archives