1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
On 26.12.2011 19:57, Anthony G. Basile wrote: |
5 |
> Hi everyone, |
6 |
> |
7 |
> For a while now, we've been supporting three predefined grsec |
8 |
> profiles in the hardened-sources kernel. Upstream provides four. |
9 |
> These are |
10 |
> |
11 |
> GRKERNSEC_LOW GRKERNSEC_MEDIUM GRKERNSEC_HIGH GRKERNSEC_CUSTOM |
12 |
> |
13 |
> We've added three which we think are useful to the Gentoo |
14 |
> community. These are pretty self explanatory: |
15 |
> |
16 |
> GRKERNSEC_HARDENED_SERVER GRKERNSEC_HARDENED_WORKSTATION |
17 |
> GRKERNSEC_HARDENED_VIRTUALIZATION |
18 |
> |
19 |
> To be clear, the virtualization profile is for the *host*, but in |
20 |
> some cases applies even for the guest. |
21 |
> |
22 |
> The basic difference between these is that only the server has |
23 |
> GRKERNSEC_IO which messes up Xorg in some cases, and virtualization |
24 |
> does not have KERNEXEC and UDEREF which often breaks virt hosts. |
25 |
> |
26 |
> Upstream has recently added new options which we could not make use |
27 |
> of until gcc 4.5.* was stabilized. We have now added these options |
28 |
> to all three predefine Gentoo grsec profiles, as well as having |
29 |
> made a few other tweaks. Here are the additions: |
30 |
> |
31 |
> GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read |
32 |
> |
33 |
> GRKERNSEC_AUDIT_PTRACE - add ptrace logging |
34 |
> |
35 |
> GRKERNSEC_SETXID - propagate uid/gid/caps to children threads |
36 |
> |
37 |
> PAX_RANDKSTACK - randomize all task's kernel stack |
38 |
> |
39 |
> PAX_MEMORY_STACKLEAK - zero kernel stack before return |
40 |
> |
41 |
> default to OR (rather than BTS) for KERNEXEC |
42 |
> |
43 |
> The later may be problematic for people because OR method only |
44 |
> works on non-binary modules that you compile from source. BTS |
45 |
> method will work on binary modules, but it does have an overhead. |
46 |
> |
47 |
> These changes will begin with hardened-sources-2.6.32-r81 and |
48 |
> 3.1.6 which I'll put on the tree later today. Let me know if any of |
49 |
> these changes cause problem. The only profile I expect issues with |
50 |
> is VIRTUALIZATION which is so hardware dependant that it probably |
51 |
> has other issues too :( |
52 |
> |
53 |
|
54 |
Hello, |
55 |
|
56 |
I have two (small) problems: |
57 |
|
58 |
- - GRKERNSEC_SYSFS_RESTRICT seems to kill audio on my laptop (Thinkpad |
59 |
T510). If I disable it, sound works again (Though I normally use |
60 |
pulseaudio under gnome, aplay doesn't work under bash (no X started), |
61 |
eighter). |
62 |
|
63 |
- - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile |
64 |
glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops |
65 |
(because auf the kernelstack - I think). |
66 |
|
67 |
For now I just have disabled both options. |
68 |
|
69 |
If you would tell me how to give any information which may help you to |
70 |
debug it (if needed) you can contact me here or in irc (hvb). |
71 |
|
72 |
With kind regards, |
73 |
|
74 |
Hinnerk |
75 |
|
76 |
|
77 |
-----BEGIN PGP SIGNATURE----- |
78 |
Version: GnuPG v2.0.18 (GNU/Linux) |
79 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
80 |
|
81 |
iQEcBAEBAgAGBQJPAX9IAAoJEJwwOFaNFkYcPbAH/0sacjiGwPr6duoh7Nbb28ps |
82 |
nm9iU1ukOuDMk6IQ8QeDZ3XJnIedv4dGW4aUtLUn1ul9QlUJTNryTuWGuiEm6+sm |
83 |
k8Js9qlvMEzVQb3wbryx20gwjytjwKRbIvz8tk4kVWzKxPCVBjTqC/tDNilIeFU0 |
84 |
7+fXtRAe6XDepgZlpOurX/Q/KSQSo7FAahy2F8rrxQ1HLaUa5NncozJGpb+tyVwU |
85 |
JQr8c32iQZB3dly/hz3E50PVq6vUssUvuL6TR49vyOzwLV7cPZde5cFRfzl80Z6r |
86 |
1+XRPtLqfCVt92lUdcFS1EWTl1pbUSxTARePViC4zzLGqJZDatklbHbfmI1/sRQ= |
87 |
=GUnC |
88 |
-----END PGP SIGNATURE----- |