Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Hardened
New Kconfig structure in hardened-sources-3.4.4-r1
blueness at gentoo
Jul 1, 2012, 1:04 PM
Post #1 of 4 (1315 views)
Permalink
Hi everyone,

Upstream has change the structure of the configuration menu for
grsec/pax. The new Kconfig is in hardened-sources-3.4.4-r1 which I have
just added to the tree. I want to alert the list so people are not
surprised upon upgrade. Here's roughly what has changed:

0. The Grsecurity menu now has the follwoing top level items:

Configuration Method (Automatic/Custom)
<- to what extent we choose the config for you

Usage Type (Server/Desktop)

Virtualization Type (None/Guest/Host)
<- is this kernel to be used on a virt guest or virt host or none

... other virt options which are obvious ...

Required Priorities <- Security vs Performance. There are a few
security options like UDEREF that hit up perf

Customize Configuration <- The above gives you a baseline,
but you are not locked into anything like previously,
and you can tweak further here.

1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and
HARDENED_VIRTUALIZATION. There is no need for them anymore as they are
pretty much subsumed under the above. With some minor differences:

HARDENED_SERVER => Type=Server, Priority=Security, Virt=None
HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None
HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed>

We never did get our HARDENED_VIRTUALIZATION quite right with all the
possible combinations, so I just went with a lowest common denominator
which upstream felt should be better refined. Quite rightly so. When I
started down that path I quickly realized what a quagmire it is.


2. I've tried to keep the Gentoo GIDs where possible. There is one bug
that I've noticed, which I'm passing to upstream. Toggling "Invert GID
option" under TPE does not toggle between our trusted (GID=10) and our
untrusted (GID=100) values. You can change them manually, but since in
Gentoo we want to keep our GIDs in line [1], we need to change
upstream's default values to ours.


3. I really like what upstream has done. Two things in particular: a)
the granularity of the virt options and 2) the ability to start with
some baseline Automatic config and then tweak. However, give me
feedback because we need to make them work for our users.


Enjoy!


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
Re: New Kconfig structure in hardened-sources-3.4.4-r1 [ In reply to ]
basile at opensource
Jul 1, 2012, 1:06 PM
Post #2 of 4 (1271 views)
Permalink
On 07/01/2012 04:04 PM, Anthony G. Basile wrote:
> Hi everyone,
>

> 2. I've tried to keep the Gentoo GIDs where possible. There is one bug
> that I've noticed, which I'm passing to upstream. Toggling "Invert GID
> option" under TPE does not toggle between our trusted (GID=10) and our
> untrusted (GID=100) values. You can change them manually, but since in
> Gentoo we want to keep our GIDs in line [1], we need to change
> upstream's default values to ours.
>

Nice, I put a ref to a footnote, but no footnote:

Ref.

[1] See GLEP 27 - http://www.gentoo.org/proj/en/glep/glep-0027.html

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Re: New Kconfig structure in hardened-sources-3.4.4-r1 [ In reply to ]
mk at dee
Jul 29, 2012, 3:41 PM
Post #3 of 4 (1230 views)
Permalink
On Sun, Jul 1, 2012 at 11:04 PM, Anthony G. Basile <blueness@gentoo.org> wrote:
> 1. Gone are Gentoo's predefined HARDENED_SERVER, HARDENED_DESKTOP and
> HARDENED_VIRTUALIZATION. There is no need for them anymore as they are
> pretty much subsumed under the above. With some minor differences:
>
> HARDENED_SERVER => Type=Server, Priority=Security, Virt=None
> HARDENED_DESKTOP => Type=Desktop, Priority=Security, Virt=None
> HARDENED_VIRTUALIZATION => Type=Server, Priority=Security Virt=<mixed>

I played a bit with the new settings in the latest unstable hardened
x86 kernel today (in an attempt to squash a NULL deref bug, will send
another email about that), and the new approach seemed very confusing
to me. It has many overlapping options (VMware or VirtualBox?), the
ultimate effect of which is not clear (what if I want to use both
VMs?). In addition, all these options only have effect for new kernel
configuration (probably not even an oldconfig), since they only affect
defaults. Afterwards, they just sit there (interfering with other
settings, see below). In the old approach, I found
HARDENED_VIRTUALIZATION to be a very robust choice that actually
enforced most settings that I have carefully chosen previously. In the
new approach, I just switched to GRKERNSEC_CONFIG_CUSTOM after a
while.

> 2. I've tried to keep the Gentoo GIDs where possible. There is one bug that
> I've noticed, which I'm passing to upstream. Toggling "Invert GID option"
> under TPE does not toggle between our trusted (GID=10) and our untrusted
> (GID=100) values. You can change them manually, but since in Gentoo we want
> to keep our GIDs in line [1], we need to change upstream's default values to
> ours.

GRKERNSEC_CONFIG_AUTO interferes with that — a trusted group is shown
as "untrusted". In addition, groups for disabled settings (like
GRKERNSEC_SYMLINKOWN) are also shown.

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
Re: New Kconfig structure in hardened-sources-3.4.4-r1 [ In reply to ]
mk at dee
Jul 29, 2012, 6:06 PM
Post #4 of 4 (1217 views)
Permalink
On Mon, Jul 30, 2012 at 1:41 AM, Maxim Kammerer <mk@dee.su> wrote:
> I played a bit with the new settings in the latest unstable hardened
> x86 kernel today (in an attempt to squash a NULL deref bug, will send
> another email about that)

Opened a bug instead: https://bugs.gentoo.org/428576.

--
Maxim Kammerer
Liberté Linux: http://dee.su/liberte

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal