| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
On 26.12.2011 19:57, Anthony G. Basile wrote: |
| 5 |
> Hi everyone, |
| 6 |
> |
| 7 |
> For a while now, we've been supporting three predefined grsec |
| 8 |
> profiles in the hardened-sources kernel. Upstream provides four. |
| 9 |
> These are |
| 10 |
> |
| 11 |
> GRKERNSEC_LOW GRKERNSEC_MEDIUM GRKERNSEC_HIGH GRKERNSEC_CUSTOM |
| 12 |
> |
| 13 |
> We've added three which we think are useful to the Gentoo |
| 14 |
> community. These are pretty self explanatory: |
| 15 |
> |
| 16 |
> GRKERNSEC_HARDENED_SERVER GRKERNSEC_HARDENED_WORKSTATION |
| 17 |
> GRKERNSEC_HARDENED_VIRTUALIZATION |
| 18 |
> |
| 19 |
> To be clear, the virtualization profile is for the *host*, but in |
| 20 |
> some cases applies even for the guest. |
| 21 |
> |
| 22 |
> The basic difference between these is that only the server has |
| 23 |
> GRKERNSEC_IO which messes up Xorg in some cases, and virtualization |
| 24 |
> does not have KERNEXEC and UDEREF which often breaks virt hosts. |
| 25 |
> |
| 26 |
> Upstream has recently added new options which we could not make use |
| 27 |
> of until gcc 4.5.* was stabilized. We have now added these options |
| 28 |
> to all three predefine Gentoo grsec profiles, as well as having |
| 29 |
> made a few other tweaks. Here are the additions: |
| 30 |
> |
| 31 |
> GRKERNSEC_SYSFS_RESTRICT - hardening of /sys by restricting read |
| 32 |
> |
| 33 |
> GRKERNSEC_AUDIT_PTRACE - add ptrace logging |
| 34 |
> |
| 35 |
> GRKERNSEC_SETXID - propagate uid/gid/caps to children threads |
| 36 |
> |
| 37 |
> PAX_RANDKSTACK - randomize all task's kernel stack |
| 38 |
> |
| 39 |
> PAX_MEMORY_STACKLEAK - zero kernel stack before return |
| 40 |
> |
| 41 |
> default to OR (rather than BTS) for KERNEXEC |
| 42 |
> |
| 43 |
> The later may be problematic for people because OR method only |
| 44 |
> works on non-binary modules that you compile from source. BTS |
| 45 |
> method will work on binary modules, but it does have an overhead. |
| 46 |
> |
| 47 |
> These changes will begin with hardened-sources-2.6.32-r81 and |
| 48 |
> 3.1.6 which I'll put on the tree later today. Let me know if any of |
| 49 |
> these changes cause problem. The only profile I expect issues with |
| 50 |
> is VIRTUALIZATION which is so hardware dependant that it probably |
| 51 |
> has other issues too :( |
| 52 |
> |
| 53 |
|
| 54 |
Hello, |
| 55 |
|
| 56 |
I have two (small) problems: |
| 57 |
|
| 58 |
- - GRKERNSEC_SYSFS_RESTRICT seems to kill audio on my laptop (Thinkpad |
| 59 |
T510). If I disable it, sound works again (Though I normally use |
| 60 |
pulseaudio under gnome, aplay doesn't work under bash (no X started), |
| 61 |
eighter). |
| 62 |
|
| 63 |
- - with PAX_RANDKSTACK enabled I'm not able to sucessfully compile |
| 64 |
glibc-2.14.1-r2 and glibc-2.14.1-r1 (gcc-4.6.2). I get an oops |
| 65 |
(because auf the kernelstack - I think). |
| 66 |
|
| 67 |
For now I just have disabled both options. |
| 68 |
|
| 69 |
If you would tell me how to give any information which may help you to |
| 70 |
debug it (if needed) you can contact me here or in irc (hvb). |
| 71 |
|
| 72 |
With kind regards, |
| 73 |
|
| 74 |
Hinnerk |
| 75 |
|
| 76 |
|
| 77 |
-----BEGIN PGP SIGNATURE----- |
| 78 |
Version: GnuPG v2.0.18 (GNU/Linux) |
| 79 |
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ |
| 80 |
|
| 81 |
iQEcBAEBAgAGBQJPAX9IAAoJEJwwOFaNFkYcPbAH/0sacjiGwPr6duoh7Nbb28ps |
| 82 |
nm9iU1ukOuDMk6IQ8QeDZ3XJnIedv4dGW4aUtLUn1ul9QlUJTNryTuWGuiEm6+sm |
| 83 |
k8Js9qlvMEzVQb3wbryx20gwjytjwKRbIvz8tk4kVWzKxPCVBjTqC/tDNilIeFU0 |
| 84 |
7+fXtRAe6XDepgZlpOurX/Q/KSQSo7FAahy2F8rrxQ1HLaUa5NncozJGpb+tyVwU |
| 85 |
JQr8c32iQZB3dly/hz3E50PVq6vUssUvuL6TR49vyOzwLV7cPZde5cFRfzl80Z6r |
| 86 |
1+XRPtLqfCVt92lUdcFS1EWTl1pbUSxTARePViC4zzLGqJZDatklbHbfmI1/sRQ= |
| 87 |
=GUnC |
| 88 |
-----END PGP SIGNATURE----- |
Archives