[gentoo-hardened] Grsecurity 2 in hardened-sources

[gentoo-hardened] Grsecurity 2 in hardened-sources

[Ned Ludd]

I would like to thank frogger for taking the time to put together
hardened-sources-r3 for us (good work frogger)

-r3 introduces the grsecurity-2.0-pre4-2.4.20.patch which has
some very cool/needed new features for us grsecuirty users such as role
based access control, variable support within acls including unions,
intersections, differences of sets, and an learning device,daemon as
well as nested subjects. All these features plus what it already had
should make grsecurity2 the most well rounded complete host based
security solution available for linux to date.

These new features should be transparent to our users not using the
access control list features of grsecurity, however for those of that
will be be using them we have a few things to consider. 

First grsecurity 2 has not been officialy released yet, and no
documentation exists for these features of grsecuity2 outside of the
grsec mailing list itself.

Second item is gradm itself,
<=gradm-2 installs to /sbin/gradm and reads /etc/grsec/acl
>gradm-2 also installs to /sbin/gradm and also reads /etc/grsec/acl
But they dont play together well at all, and if we were to park gradm2
which is really gradm in sys-apps/gradm It would always get prefered
over gradm-1.9.x when ~arch is set. This would affect users using
gentoo-sources. I dont want to introduce another apache{1,2} SLOT type
of mess.

My simple solution would be to park gradm 2 in sys-apps/gradm2, install
gradm 2 as /sbin/gradm2  with /etc/grsec2/acl and leave it this way
untill grsecurity1 becomes deprecated. This would allow people to have
both systems installed without any conflict. (Any comments before it
gets set in stone?)

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux (Hardened)


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Grsecurity 2 in hardened-sources

[Joshua Brindle]

I'd rather you use SLOT's, this is what they are for.. 
otherwise in a few months you are going to have a
sys-apps/gradm2 and you won't be able to move it
(you can but it's overly complicated).

you can just have gradm-1 in slot one that installs to
/usr/sbin/gradm and gradm-2 in slot two that installs to
/usr/sbin/gradm2 and they won't conflict, you could even
give them different policy directories so that they don't
collide. 

You could then have both slots merged in next to each other
and it wouldn't be an issue..

the apache apache2 slot mess is really not SLOT'S fault, it's
something different altogether, we have plenty of apps that
have been happily slotted for a very long time (db, gtk, et al)



Joshua Brindle

>>> Ned Ludd <solar@gentoo.org> 06/09/03 01:14PM >>>
I would like to thank frogger for taking the time to put together
hardened-sources-r3 for us (good work frogger)

-r3 introduces the grsecurity-2.0-pre4-2.4.20.patch which has
some very cool/needed new features for us grsecuirty users such as role
based access control, variable support within acls including unions,
intersections, differences of sets, and an learning device,daemon as
well as nested subjects. All these features plus what it already had
should make grsecurity2 the most well rounded complete host based
security solution available for linux to date.

These new features should be transparent to our users not using the
access control list features of grsecurity, however for those of that
will be be using them we have a few things to consider. 

First grsecurity 2 has not been officialy released yet, and no
documentation exists for these features of grsecuity2 outside of the
grsec mailing list itself.

Second item is gradm itself,
<=gradm-2 installs to /sbin/gradm and reads /etc/grsec/acl
>gradm-2 also installs to /sbin/gradm and also reads /etc/grsec/acl
But they dont play together well at all, and if we were to park gradm2
which is really gradm in sys-apps/gradm It would always get prefered
over gradm-1.9.x when ~arch is set. This would affect users using
gentoo-sources. I dont want to introduce another apache{1,2} SLOT type
of mess.

My simple solution would be to park gradm 2 in sys-apps/gradm2, install
gradm 2 as /sbin/gradm2  with /etc/grsec2/acl and leave it this way
untill grsecurity1 becomes deprecated. This would allow people to have
both systems installed without any conflict. (Any comments before it
gets set in stone?)

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux (Hardened)


--
gentoo-hardened@gentoo.org mailing list


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Grsecurity 2 in hardened-sources

[Ned Ludd]

On Mon, 2003-06-09 at 16:12, Joshua Brindle wrote: 
> I'd rather you use SLOT's, this is what they are for.. 
> otherwise in a few months you are going to have a
> sys-apps/gradm2 and you won't be able to move it
> (you can but it's overly complicated).
> 
> you can just have gradm-1 in slot one that installs to
> /usr/sbin/gradm and gradm-2 in slot two that installs to
> /usr/sbin/gradm2 and they won't conflict, you could even
> give them different policy directories so that they don't
> collide. 

> You could then have both slots merged in next to each other
> and it wouldn't be an issue..

I dont see how this could/would prevent users that have ~arch keywords
from installing gradm-2 when using -sources other than hardened-sources.

Ok say we have ~arch in our keywords and we are using
gentoo-sources-2.4.20-r5(grsecurity 1.9.x) and we do emerge world
the next time we come back to this box it would end up having >=gradm-2
installed and we would not be able to enable/disable the acl system.

> the apache apache2 slot mess is really not SLOT'S fault, it's 
> something different altogether, we have plenty of apps that
> have been happily slotted for a very long time (db, gtk, et al)

SLOTS do not seem to properly address who is using what sources. Example
ever had a box running apache1 and had ~x86 in your keywords and did
'emerge world' portage will override your previous install of apache1
and force you to use apache2 [doh!]. This is my concern with gradm-1 &
gradm-2.

If you or anybody on this list knows of a way to make this behave
correctly with these settings then please by all meens submit your
ebuild for gradm-2.0_pre4 (or fix portage so it honors whats installed
already when using ~arch flags)

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux (Hardened)


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Grsecurity 2 in hardened-sources

[Jesse Jacobs]

Good morning,

Please forgive my boldness (I'm Dutch). :)
Last night I was functioning on 2 hours of sleep.
The alias (a CnP from a previous e-mail in a "From Memory" context) is
totally open for suggestions, criticism, improvement.
In fact I was hoping to roll this around a little.

I was wondering when gradm-2* would be put in portage?
Would there be any sort of docs for this too? (Humble Plea) :)

Thanks Again Gentoo-Hardened!
j


DOH!
pressed reply!
j

-------- Original Message --------
Subject: Re: [gentoo-hardened] Grsecurity 2 in hardened-sources
From: "Jesse Jacobs" <jesse@eazy.homeip.net>
Date: Tue, June 10, 2003 11:21 pm
To: <solar@gentoo.org>

Hello,

First, THANKS!!!

Huge Appreciation here!

Why use SLOTS?

Would u be willing to try using a hard mask?

When the grsec2 transition takes place across all kernels...

we can use grsec2 by removing the hardmask.

Anyone that want's to use grsec2 must maintain package.mask
ie.
alias realsync='emerge sync && diff -u /root/package.mask
/usr/portage/profiles/package.mask > /root/package.mask.diff && cp
/root/package.mask /usr/portage/profiles/package.mask && source
/etc/profile && echo "Maintaining Your Package Limits."'

Then update the box with:
realsync; emerge -uUvp world;

j

Ned Ludd said:
> On Mon, 2003-06-09 at 16:12, Joshua Brindle wrote:
>> I'd rather you use SLOT's, this is what they are for..
>> otherwise in a few months you are going to have a
>> sys-apps/gradm2 and you won't be able to move it
>> (you can but it's overly complicated).
>>
>> you can just have gradm-1 in slot one that installs to
>> /usr/sbin/gradm and gradm-2 in slot two that installs to
>> /usr/sbin/gradm2 and they won't conflict, you could even
>> give them different policy directories so that they don't
>> collide.
>
>> You could then have both slots merged in next to each other
>> and it wouldn't be an issue..
>
> I dont see how this could/would prevent users that have ~arch keywords
> from installing gradm-2 when using -sources other than
> hardened-sources.
>
> Ok say we have ~arch in our keywords and we are using
> gentoo-sources-2.4.20-r5(grsecurity 1.9.x) and we do emerge world the
> next time we come back to this box it would end up having >=gradm-2
> installed and we would not be able to enable/disable the acl system.
>
>> the apache apache2 slot mess is really not SLOT'S fault, it's
>> something different altogether, we have plenty of apps that
>> have been happily slotted for a very long time (db, gtk, et al)
>
> SLOTS do not seem to properly address who is using what sources.
> Example ever had a box running apache1 and had ~x86 in your keywords
> and did 'emerge world' portage will override your previous install of
> apache1 and force you to use apache2 [doh!]. This is my concern with
> gradm-1 & gradm-2.
>
> If you or anybody on this list knows of a way to make this behave
> correctly with these settings then please by all meens submit your
> ebuild for gradm-2.0_pre4 (or fix portage so it honors whats installed
> already when using ~arch flags)
>
> --
> Ned Ludd <solar@gentoo.org>
> Gentoo Linux (Hardened)
>
>
> --
> gentoo-hardened@gentoo.org mailing list




--
gentoo-hardened@gentoo.org mailing list



Ned Ludd said:
> On Mon, 2003-06-09 at 16:12, Joshua Brindle wrote:
>> I'd rather you use SLOT's, this is what they are for..
>> otherwise in a few months you are going to have a
>> sys-apps/gradm2 and you won't be able to move it
>> (you can but it's overly complicated).
>>
>> you can just have gradm-1 in slot one that installs to
>> /usr/sbin/gradm and gradm-2 in slot two that installs to
>> /usr/sbin/gradm2 and they won't conflict, you could even
>> give them different policy directories so that they don't
>> collide.
>
>> You could then have both slots merged in next to each other
>> and it wouldn't be an issue..
>
> I dont see how this could/would prevent users that have ~arch keywords
> from installing gradm-2 when using -sources other than hardened-sources.
>
> Ok say we have ~arch in our keywords and we are using
> gentoo-sources-2.4.20-r5(grsecurity 1.9.x) and we do emerge world
> the next time we come back to this box it would end up having >=gradm-2
> installed and we would not be able to enable/disable the acl system.
>
>> the apache apache2 slot mess is really not SLOT'S fault, it's
>> something different altogether, we have plenty of apps that
>> have been happily slotted for a very long time (db, gtk, et al)
>
> SLOTS do not seem to properly address who is using what sources. Example
> ever had a box running apache1 and had ~x86 in your keywords and did
> 'emerge world' portage will override your previous install of apache1
> and force you to use apache2 [doh!]. This is my concern with gradm-1 &
> gradm-2.
>
> If you or anybody on this list knows of a way to make this behave
> correctly with these settings then please by all meens submit your
> ebuild for gradm-2.0_pre4 (or fix portage so it honors whats installed
> already when using ~arch flags)
>
> --
> Ned Ludd <solar@gentoo.org>
> Gentoo Linux (Hardened)
>
>
> --
> gentoo-hardened@gentoo.org mailing list




--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Grsecurity 2 in hardened-sources

[Ned Ludd]

On Wed, 2003-06-11 at 08:12, Jesse Jacobs wrote:

> I was wondering when gradm-2* would be put in portage?
In the next few hours..

> Would there be any sort of docs for this too? (Humble Plea) :)

When spender(Author of grsecuirty) writes the 2.x documentation we will
be happy to include it, other than that the best we could try and do is
extract a few things from the grsecurity mailing list. 
(Any gentoo-devs and or gentoo-users up for this?)

> Thanks Again Gentoo-Hardened!
Hey we love doing it..

> 
> Would u be willing to try using a hard mask?
> 
> When the grsec2 transition takes place across all kernels...
> 
> we can use grsec2 by removing the hardmask.

After a few long talks with the people on freenode we have decided that
gradm will be merged into portage as gradm2 and will remain this way for
its life. By doing it this way we completly avoid the apache{1,2} type
of mess when ~arch flags are set in your keywords [which will be
required to use gradm2]

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux (Hardened)


--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Grsecurity 2 in hardened-sources

[Jesse Jacobs]

Hello Ned,

Thanks for all your (and the whole team's) great effort!

Ned Ludd said:
> On Wed, 2003-06-11 at 08:12, Jesse Jacobs wrote:
>
>> I was wondering when gradm-2* would be put in portage?
> In the next few hours..
>

Sweet!

>> Would there be any sort of docs for this too? (Humble Plea) :)
>
> When spender(Author of grsecuirty) writes the 2.x documentation we
> will be happy to include it, other than that the best we could try and
> do is extract a few things from the grsecurity mailing list.
> (Any gentoo-devs and or gentoo-users up for this?)
>

I will assist, If you're willing to let me.  I'm already on the mailing
list, and have been following the little snippets as they are added to
2.0 and scouring the archives.

Are the security doc's already in the tarball?
I haven't checked yet as I'm at work :(  I will in approx 5 hours.

>> Thanks Again Gentoo-Hardened!
> Hey we love doing it..

:)

>
>>
>> Would u be willing to try using a hard mask?
>>
>> When the grsec2 transition takes place across all kernels...
>>
>> we can use grsec2 by removing the hardmask.
>
> After a few long talks with the people on freenode we have decided
> that gradm will be merged into portage as gradm2 and will remain this
> way for its life. By doing it this way we completly avoid the
> apache{1,2} type of mess when ~arch flags are set in your keywords
> [which will be required to use gradm2]
>

I respect your decision.

In fairness, the apache issue was seeded from the decision the maintain
2 stable branches within the same package name.  Both gradm 1 and 2
cannot co-exist correct?  A user could then install both right?
Will 2.0 eventually trickle down to all the gresec aware kernels?

Sorry for being a PITA,
j

> --
> Ned Ludd <solar@gentoo.org>
> Gentoo Linux (Hardened)
>
>
> --
> gentoo-hardened@gentoo.org mailing list




--
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] Grsecurity 2 in hardened-sources

[Ned Ludd]

> >> I was wondering when gradm-2* would be put in portage?
> > In the next few hours..

gradm2 has been commited to portage 
emerge rsync 
emerge gradm2 
gradm2 -P admin
cd /etc/grsec2/
# make a policy or 
zcat /usr/share/doc/gradm2-0.0_pre4/acl.gz > /etc/grsec2/acl
gradm -E ; # (wow that was easy)

gradm2 only works with >=hardened-sources-2.4.20-r3 as of now.
I've not included any default roles with this version outside of the
default one that comes with gradm2 (gotta wait for -r1)

I do however have a few roles that need to be further developed for
production use. Anybody wanting/willing to test/(help dev) these should
contact myself or method@gentoo.org and or join #gentoo-hardened on
irc.freenode.net

> >
> 
> Sweet!
> 
> >> Would there be any sort of docs for this too? (Humble Plea) :)
> >
> > When spender(Author of grsecuirty) writes the 2.x documentation we
> > will be happy to include it, other than that the best we could try and
> > do is extract a few things from the grsecurity mailing list.
> > (Any gentoo-devs and or gentoo-users up for this?)
> >
> 
> I will assist, If you're willing to let me.  I'm already on the mailing
> list, and have been following the little snippets as they are added to
> 2.0 and scouring the archives.

Hell yeah your more than welcome to assist. (gentoo is a distro by
powerusers for powerusers)

> Are the security doc's already in the tarball?

No really they dont exist!

> 
> In fairness, the apache issue was seeded from the decision the maintain
> 2 stable branches within the same package name.  Both gradm 1 and 2
> cannot co-exist correct?  A user could then install both right?

Yes the way I put together the gradm2 ebuild will allow you to have both
gradm and gradm2 installed on the same box at the same time. Note
however if your using both you may want to make sure that both policies
hide /etc/grsec/ and /etc/grsec2/

> Will 2.0 eventually trickle down to all the gresec aware kernels?
> 

Its way too soon in the game to tell what the future of grsecuirty2 on
gentoo will be. I dont forsee it getting mainlined till it goes stable
on the grsecurity site. At that point we can look into getting it merged
into other non hardened-kernels. (We are the testbed)

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux (Hardened)


--
gentoo-hardened@gentoo.org mailing list