Gentoo Hardened Frequently Asked Questions

Gentoo Hardened Frequently Asked Questions @@ -15,148 +16,42 @@ The PaX Team + + klondike + + + Magnus Granberg + + + Anthony G. Basile + =20 Frequently Asked Questions that arise on the #gentoo-hardened IRC channe= l and the gentoo-hardened mailing list. =20 -1.9 -2006-02-18 +3.2 +2011-1-19 =20 - + Questions

-General - - -

- What exactly is the "toolchain"? -
- What should I use: grsecurity, RSBAC or - SELinux? -
- Is it possible to use grsecurity, RSBAC, SELin= ux and=20 - PaX all at the same time? -
- Do I need to pass any flags to LDFLAGS= /CFLAGS in - order to turn on PIE/SSP building? -
- How do I turn off PIE/SSP building?= -
- My kernel compilation fails with the error "er= ror: - structure has no member named `curr_ip'", how do I fix that? -
- I just found out about the hardened p= roject; do - I have to install everything on the project page in order to install - Hardened Gentoo? -
- Why don't my programs work when I use CFLAG= S=3D"-O3" - and hardened gcc? -
- What happened to bootstrap-cascade.s= h? -
- How do I switch to the hardened profi= le? -
- How do I debug with gdb? -

- - -

- -

-PaX - - -

- What is the homepage for PaX? -
- What Gentoo documentation exists about P= aX? -
- I keep getting the message: "error while loa= ding - shared libraries: cannot make segment writable for relocation: Permi= ssion - denied." What does this mean? -
- Ever since I started using PaX I can't get Ja= va - working, why? -

- - -

- -

-grsecurity +Introduction =20 -

- What is the homepage for grsecurity?= -
- What Gentoo documentation exists about - grsecurity? -
- Can I use grsecurity with a 2.6.8, 2.6.8.1,= or 2.6.9 - kernel? -

- - -

- -

-RSBAC - - -

- What is the homepage for RSBAC? -
- What Gentoo documentation exists about - RSBAC? -
- How do I use an initial ramdisk with a RS= BAC - enabled kernel? -

- - -

- -

-SELinux - - -

- Where can I find SELinux related frequentl= y asked - questions? -

+The following is a collection of questions collected from #gentoo-harden= ed IRC +channel and the gentoo-hardened mailing list. As such, is geared towards +answering fast and concisely rather than providing a whole insight on th= e +technologies behind Gentoo Hardened. It is advisable reading the rest of= the +documentation on the Gentoo Hardened Project page and that on the proje= cts' +home pages in order to get a better insight. +

=20

- + =20 General Questions @@ -175,96 +70,125 @@ =20

-What should I use: grsecurity, RSBAC or SELinux? +What should I use: Grsecurity's RBAC or SELinux? =20

-The answer to this question is highly subjective, so the hardened Gentoo= project -simply tries to lay out each technology and leave the choice up to the u= ser. -This decision requires a lot of research that we have hopefully provided= clearly -in the hardened documentation. However, if you have any specific questi= ons -about the security model that each provides, feel free to question the r= elevant -developer in our IRC channel or on the mailing list. +The answer to this question is highly subjective, and very dependent on = your +requisites so the hardened Gentoo project simply tries to lay out each +technology and leave the choice up to the user. This decision requires a= lot of +research that we have hopefully provided clearly in the hardened documen= tation. +However, if you have any specific questions about the security model tha= t each +provides, feel free to question the relevant developer in our IRC channe= l or on +the mailing list.

=20

-Is it possible to use grsecurity, RSBAC, SELinux and PaX all at t= he same +<title>Is it possible to use Grsecurity, SELinux and PaX all at the same time? =20

-Yes, this combination is quite possible as PaX works with grsecurity, RS= BAC -and SELinux. The only conflict that arises is you can only use one acce= ss -control system. +Yes, this combination is quite possible as PaX and some of Grsecurity's = features +work with Grsecurity's RBAC and SELinux. The only conflict that arises i= s you +can only use one access control system (be it RBAC or SELinux).

=20

-Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on= PIE/SSP -building? +Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on +hardened building? =20

No, the current toolchain implements the equivalent of CFLAGS=3D"-fPI= E --fstack-protector-all" LDFLAGS=3D"-Wl,-z,now -Wl,-z,relro" automatic= ally -through GCC's specfile which is a more proper solution. For older harde= ned-gcc -users, add USE=3D"hardened pic" to your /etc/make.conf and=20 -then upgrade with the following commands: +-fstack-protector-all -D_FORTIFY_SOURCE=3D2" LDFLAGS=3D"-Wl,-z,now -Wl,-= z,relro" +automatically through GCC's built-in spec and using the specfiles to dis= able +them which is a more proper solution. For older hardened-gcc users the b= est +approach is switch to the hardened profile and then upgrade following th= e steps +on the How to switch to Gentoo Hardened q= uestion +

=20 -

-# emerge --oneshot binutils gcc virtual/libc
-# emerge -e world
-

+ +Manually enabling the hardening flags it is not recommended at all. + + + +Sending a -fno... flag will disable the flag, also -fstack-protector-all= and +-fstack-protector may interfere when passed directly. + =20 -Gentoo patches its GCCs to allow specfiles to be passed -through an environment variable. Currently several sets of specfiles ar= e -installed on Gentoo systems that allow users on supported architectures -to easily switch the functionality off and on of the toolchain. -To access the specs as the end user you can use the gcc-config utility. +Gentoo patches its GCCs to allow specfiles to be passed through an envir= onment +variable. Currently several sets of specfiles are installed on Gentoo s= ystems +that allow users on supported architectures to easily switch the functio= nality +off and on of the toolchain. To access the specs as the end user you can= use the +gcc-config utility. =20

=20

-How do I turn off PIE/SSP building? +How do I turn off hardened building? =20

You can use gcc-config to accomplish this:

-# gcc-config -l
- [1] i686-pc-linux-gnu-3.4.4 *
- [2] i686-pc-linux-gnu-3.4.4-hardenednopie
- [3] i686-pc-linux-gnu-3.4.4-hardenednopiessp
- [4] i686-pc-linux-gnu-3.4.4-hardenednossp
- [5] i686-pc-linux-gnu-3.4.4-vanilla
+# gcc-config -l=20
+ [1] x86_64-pc-linux-gnu-4.4.4 *
+ [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
+ [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+ [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
+ [5] x86_64-pc-linux-gnu-4.4.4-vanilla
 =20
+To turn off PIE building switch to the hardenednopie profile:
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopie
 To turn off SSP building switch to the hardenednossp profile:
-# gcc-config i686-pc-linux-gnu-3.4.4-hardenednossp
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednossp
+To turn off SSP and PIE building switch to the hardenednopiessp=
 profile:
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+To turn off all hardened building switch to the vanilla profile=
:
+# gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla

=20 + +The previous output will vary according to the gcc version and architect= ure you +use, also the commands required to disable things will vary depending on= the +output of the first command. + +

Alternatively you can achieve the same by changing your CFLAGS:

=20 + +Disabling flags manually is not recommended by the team and thus an unsu= pported +option, do this at your own risk. + + +

To turn off default SSP building when using the hardened toolchain, appe= nd --fno-stack-protector-all -fno-stack-protector to your CFLAGS. +-fno-stack-protector to your CFLAGS.

+ +On gcc 3.4 releases you need to use -fno-stack-protector-all +-fno-stack-protector + =20

If you want to turn off default PIE building then append -nopie t= o your -CFLAGS. +CFLAGS and your LDFLAGS (as LDFLAGS is used with no CFLAGS= when +using gcc to link thre object files).

=20 @@ -273,25 +197,28 @@ behavior which should be the intended result. =20 - -If you are interested in using per-package CFLAGS with Portage currently= then -you may be interested in reading about the script solar has developed to= deal -with this: http://article.gmane.org/gmane.linux.gentoo.hardened/120= 4 - - - -

- -

-My kernel compilation fails with the error "error: structure has = no -member named `curr_ip'", how do I fix that? - +

+If you want to turn off default now binding append -z,lazy to you= r +LDFLAGS. +

=20

-In order to use PaX on hardened-sources, you must enable grsecurity as w= ell in -your kernel config. This should be fixed in a future kernels. +If you want to turn off default relro binding append -z,norelro t= o your +LDFLAGS.

=20 + +Relro is default on binutils so be sure that you want to disable it befo= re doing +so. + + + +If you are interested in using per-package CFLAGS with Portage currently= then +you may be interested in reading about the s= cript +solar has developed to deal with this + +

=20 @@ -317,30 +244,27 @@ =20

Using the gcc optimization flag -O3 has been known to be problema= tic with -stack-smashing protector (SSP) in some situations. This optimization fla= g is not -officially supported and therefore discouraged by the hardened team. Com= pile -issues where a user uses CFLAGS=3D"-O3" will be closed as INVALID= /CANTFIX -and or ignored. +stack-smashing protector (SSP) and on vanilla builds in some situations.= This +optimization flag is not officially supported and is, therefore, discour= aged by +the hardened team. Compile issues where a user uses CFLAGS=3D"-O3" may be +closed as INVALID/CANTFIX and/or ignored.

=20 =20 -

-What happened to bootstrap-cascade.sh? +

+How do I switch to the hardened profile? -

-Recently, the old bootstrap.sh and bootstrap-2.6.sh were deprecated. In= their -place, bootstrap-cascade.sh has been renamed to bootstrap.sh. +To change your profile use eselect to choose it.

=20 - -

- -

-How do I switch to the hardened profile? - + +Reading part 1 chapter 6 "Installing the Gentoo BaseSystem" on the +Gentoo Handbook is recommended for= better +instructions on how to change your profile. + =20

 # eselect profile list
@@ -351,8 +275,8 @@
 [5]   default/linux/amd64/10.0/developer
 [6]   default/linux/amd64/10.0/no-multilib
 [7]   default/linux/amd64/10.0/server
-[8]   hardened/linux/amd64/10.0
-[9]   hardened/linux/amd64/10.0/no-multilib
+[8]   hardened/linux/amd64
+[9]   hardened/linux/amd64/no-multilib
 [10]  selinux/2007.0/amd64
 [11]  selinux/2007.0/amd64/hardened
 [12]  selinux/v2refpolicy/amd64
@@ -363,66 +287,124 @@
 # eselect profile set 8 (replace 8 with the desired hard=
ened profile)

=20 + +The previous output will vary according to the architecture you use, als= o the +commands required to choose the profile will vary depending on the outpu= t of the +first command. + +

-After setting up your profile, you should recompile your system using a -hardened toolchain so that you have a consistent base: +After setting up your profile, you should recompile your system using a = hardened +toolchain so that you have a consistent base:

=20

 # emerge --oneshot binutils gcc virtual/libc
-# emerge -e world
+# emerge -e --keep-going system
+# emerge -e --keep-going world

=20 +

+The --keep-going option is added to ensure emerge won't stop in c= ase any +package fails to build.=20 +

=20

How do I debug with gdb? +

-First gotcha is that GDB can't resolve symbols in PIEs; it doesn't reali= se that -the addresses are relative in PIEs not absolute. This shows up when you = try to -get a backtrace for example, and see a stream of lines with '??' where t= he -symbol should be. +We have written a document +on how to debug with Gentoo Hardened, so following the recommendat= ions +there should fix your problem.

+ + +

+ +

+Why is the jit flag disabled in the hardened profile? + +

-To get around this, do the final link stage with -nopie - all the -preceding object compilations can still be with -fPIE as normal (= i.e. the -default with the hardened compiler) so that your executable is as close = as -possible to the real thing, but the final link must create a regular exe= cutable. -Try adding -nopie to LDFLAGS if you're building with emerge. +JIT means Just In Time Compilation and consist on taking some code meant= to be +interpreted (like Java bytecode or JavaScript code) compile it into nati= ve +binary code in memory and then executing the compiled code. This means t= hat the +program need a section of memory which has write and execution permissio= ns to +write and then execute the code which is denied by PaX, unless the mprot= ect flag +is unset for the executable. As a result, we disabled the JIT use flag b= y +default to avoid complaints and security problems.

-Another way of accomplishing this, it to emerge >=3Dsys-devel/gdb-7.1, w= hich contains -a special patch that makes it able to debug executeables linked with -pi= e. +You should bear in mind that having a section which is written and then = executed +can be a serious security problem as the attacker needs to be able to e= xploit a +bug between the write and execute stages to write in that section in ord= er to +execute any code it wants to.

+ +

+How do I enable the jit flag? + +

-The second gotcha is that PaX may prevent GDB from setting breakpoints, -depending on how the kernel is configured. This includes the breakpoint = at main -which you need to get started. To stop PaX doing this, the executable be= ing -debugged needs the m and x flags. The x flag is set= by -default, so it is enough to do: +If you need it, we recommend enabling the flag in a per package basis us= ing +/etc/portage/package.use

-# /sbin/paxctl -m foo + +

+x11-libs/qt-core jit
+x11-libs/qt-script jit
+x11-libs/qt-webkit jit

-At this point, you should be good to go! Fire up gdb in the usual way. = Good -luck! +Anyway, you can enable the use flag globally using /etc/make.conf

+ +

+CFLAGS=3D"-O2 -pipe -fomit-frame-pointer -march=3Dnative"
+CXXFLAGS=3D"${CFLAGS}"
+# WARNING: Changing your CHOST is not something that should be done ligh=
tly.
+# Please consult http://www.gentoo.org/doc/en/change-chost.xml before ch=
anging.
+CHOST=3D"x86_64-pc-linux-gnu"
+# These are the USE flags that were used in addition to what is provided=
 by the
+# profile used for building.
+#If you have more uses adding jit to the end should suffice
+USE=3D"jit"
+
+MAKEOPTS=3D"-j2"
+
+GENTOO_MIRRORS=3D"ftp://ftp.udc.es/gentoo/"
+
+SYNC=3D"rsync://rsync.europe.gentoo.org/gentoo-portage"
+

+ + +Remember that if you enable JIT code on PaX you may need to disable mpro= tect on +the binaries using such code, either by them selves or through libraries= . Check +the PaX question on Java and JIT to see how to= do this + + +

- =09 + =20 PaX Questions

-What is the homepage for PaX? +Where is the homepage for PaX? =20

-The homepage for PaX is located at http://pax.grsecurity.net. +That is the homepage for PaX.

=20 @@ -433,14 +415,45 @@ =20

-Currently the only Gentoo documentation that exists about PaX is a PaX -quickstart guide located at the -http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml web= site. +Currently the only Gentoo documentation that exists about PaX is a PaX = quickstart +guide.

=20

=20 +

+How do PaX markings work? + + +

+PaX markings are a way to tell PaX which features should enable (or disa= ble) for +a certain binary. +

+ +

+Features can either be enabled, disabled or not set. Enabling or disabli= ng them +will supersede the kernel action, so a binary with a feature enabled wil= l +always use the feature and one with a feature disabled won't ever used i= t. +

+ +

+When the feature status is not set the kernel will choose whether to ena= ble or +disable it. By default, the hardened kernel will enable those features w= ith only +two exceptions, the feature is not supported by the architecture/kernel = or PaX +is running in Soft Mode. In those two cases, it will be disabled. +

+ + +In order to have Soft Mode, your kernel should have that feature enabled= and +you should enable it either passing pax_softmode=3D1 in the kerne= l cmdline +or setting to 1 the option in /proc/sys/kernel/pax/softmode. + + + +

I keep getting the message: "error while loading shared libraries= : cannot make segment writable for relocation: Permission denied." What does thi= s @@ -448,13 +461,29 @@ <body> =20 <p> -This error occurs when you enable CONFIG_PAX_NOELFRELOCS as such: +Text relocations are a way in which references in the executable code to +addresses not known at link time are solved. Basically they just write t= he +appropriate address at runtime marking the code segment writable in orde= r to +change the address then unmarking it. This can be a problem as an attack= er could +try to exploit a bug when the text relocation happens in order to be abl= e to +write arbitrary code in the text segment which would be executed. As thi= s also +means that code will be loaded on fixed addresses (not be position indep= endent) +this can also be exploited to pass over the randomization features provi= ded by +PaX.</p> + +<p> +As this can be triggered for example by adding a library with text +relocations to the ones loaded by the executable, PaX offers the option +CONFIG_PAX_NOELFRELOCS in order to avoid them. This option is enabled li= ke this: </p> =20 <pre caption=3D"Menuconfig Options"> -Non-executable page -> - - [*] Disallow ELF text relocations +-> Security options + -> PaX + -> Enable various PaX features + -> Non-executable pages + [*] Restrict mprotect() + [*] Allow ELF text relocations </pre> =20 <p> @@ -490,87 +519,87 @@ </body> </section> =20 -<section id=3D"paxjava"> -<title>Ever since I started using PaX I can't get Java working, why?</ti= tle> +<section id=3D"paxjavajit"> +<title>Ever since I started using PaX I can't get Java/JIT code working, +why? =20

As part of its design, the Java virtual machine creates a considerable a= mount of -code at runtime which does not make PaX happy. There are two ways to co= rrect -this problem: +code at runtime which does not make PaX happy. Although, with current ve= rsions +of portage and java, portage will mark the binaries automatically, you s= till +need to enable PaX marking so PaX can do an exception with them and have= paxctl +installed so the markings can be applied to the binaries (an reemerge th= em so +they are applied).

=20 -

-# emerge chpax -# /etc/init.d/chpax start +

+This of course can't be applied to all packages linking with libraries w= ith JIT +code, so if it doesn't, there are two ways to correct this problem: +

+ +

+-> Security options
+  -> PaX
+    -> Enable various PaX features
+      -> PaX Control
+        [*] Use ELF program header marking
+

+ +

+# emerge paxctl

=20

-Or if you already have chpax emerged then you can do: +When you already have paxctl emerged you can do:

=20 -

-# chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/* +

+# paxctl -pemrxs /path/to/binary

=20

-Both of these options will slightly modify the ELF eheader in order to c= orrectly +This option will slightly modify the ELF header in order to correctly set the PAX flags on the binaries.

=20 If you are running PaX in conjunction with an additional security implem= entation -such as RSBAC, grsecurity, or SELinux you should manage PaX using the ke= rnel +such as Grsecurity's RBAC, or SELinux you should manage PaX using the ke= rnel hooks provided for each implementation. =20

-On RSBAC, you can label all Java files with the following command. +The other way is using your security implementation to do this using the= kernel +hooks.

=20 -

-# for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir F=
ILE $i pax_flags pmerxs;done
-

- =20 - -grsecurity Questions -

-What is the homepage for grsecurity? +

+Can I disable PaX features at boot? =20

-The homepage for grsecurity is located at http://www.grsecurity.net= . +Although this is not advised except when used to rescue the system or fo= r +debugging purposes, it is possible to change a few of PaX behaviours on = boot via +the kernel command line.

=20 - -

- -

-What Gentoo documentation exists about grsecurity? - -

-The most current documentation for grsecurity is a Grsecurity2 quickstar= t guide -located at http://www.gentoo.org/proj/en/hardened/grsecurity.xml. +Passing pax_nouderef in the kernel cmdline will disable uderef wh= ich can +cause problems on certain virtualization environments and cause some bug= s (at +times) at the expense leaving the kernel unprotected against unwanted u= serspace +dereferences.

=20 - -

- -

-Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9 kernel?</tit= le> -<body> - <p> -Due to significant changes in the 2.6.8 kernel that broke PaX, neither a= PaX nor -a grsecurity patch are available for kernels 2.6.8, 2.6.8.1, or 2.6.9. = Although -an experimental patch is available for 2.6.10, the official stance of th= e PaX -Team regarding 2.6 kernels should be noted and taken into consideration = before -use: <uri> http://forums.grsecurity.net./viewtopic.php?t=3D968</uri>. +Passing <c>pax_softmode=3D1</c> in the kernel cmdline will enable the so= ftmode +which can be useful when booting a not prepared system with a PaX kernel= . In +soft mode PaX will disable most features by default unless told otherwis= e via +the markings. In a similar way, <c>pax_softmode=3D0</c> will disable the= softmode +if it was enabled in the config. </p> =20 </body> @@ -578,49 +607,43 @@ </chapter> =20 <chapter> -<title>RSBAC Questions -

-What is the homepage for RSBAC? +Grsecurity Questions +

+Where is the homepage for Grsecurity? =20

-The homepage for RSBAC is located at http://www.rsbac.org. +That is the homepage for Grsecur= ity.

=20

=20 -

-What Gentoo documentation exists about RSBAC? +

+What Gentoo documentation exists about Grsecurity? =20

-All Gentoo RSBAC documentation is located at the RSBAC subproject page f= ound at: -http://www.gentoo.org/proj/en/hardened/rsbac/index.xml -

- -

-Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handb= ook, -found at: http://www.rsbac.org/documentation/rsbac_handbook +The most current documentation for Grsecurity is a Grsecurit= y2 +quickstart guide.

=20

=20 -

-How do I use an initial ramdisk with a RSBAC enabled kernel?</tit= le> +<section id=3D"grsecnew"> +<title>Can I use Grsecurity with a recent kernel not on the portage tree + =20

-To use an initial ramdisk with a RSBAC enabled kernel, a special kernel = option -must be enabled or else RSBAC will treat the initrd as the root device: +Usually we release a new version of hardened sources not long after a ne= w +PaX/Grsecurity patch is released, so the best option is just waiting a b= it for +the kernel team to adapt the patches and then test them. Remind that we = won't +support kernel sources not coming from the portage tree.

=20 -

-General RSBAC options  --->
-    [*] Delayed init for initial ramdisk
-

@@ -632,8 +655,9 @@ =20

-A SELinux specific FAQ can be found at -http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part= =3D3&chap=3D3. +There is a +SELinux specific FAQ.

=20