[gentoo-hardened] virtualization with gentoo hardened

[gentoo-hardened] virtualization with gentoo hardened

[Yiannis]

Hello,

I am running hardened gentoo with the toolchain provided by the
xake-toolchain overlay. I am looking for a way to use virtualization
with my current config. I am aware of linux-vserver project which has
grsecurity integration, but as far as I remember does not play well
with rbac. Anyone that has a similar working config?

Regards

Yiannis

Re: [gentoo-hardened] virtualization with gentoo hardened

[basile]

[-- Attachment #1: Type: text/plain, Size: 668 bytes --]

Yiannis wrote:
> Hello,
>
> I am running hardened gentoo with the toolchain provided by the
> xake-toolchain overlay. I am looking for a way to use virtualization
> with my current config. I am aware of linux-vserver project which has
> grsecurity integration, but as far as I remember does not play well
> with rbac. Anyone that has a similar working config?
>
> Regards
>
> Yiannis
>   
I run both i686 and amd64 as xen guests with the xake-toolchain overlay
and kernel hardened with grsec.  Is this what you want?

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197




[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-hardened] virtualization with gentoo hardened

[Yiannis]

On Sat, 08 Aug 2009 14:39:54 -0400
basile <basile@opensource.dyc.edu> wrote:

> Yiannis wrote:
> > Hello,
> >
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
> >
> > Regards
> >
> > Yiannis
> >   
> I run both i686 and amd64 as xen guests with the xake-toolchain
> overlay and kernel hardened with grsec.  Is this what you want?
> 

If host's kernel is hardened then yes this is the case. Are you running
pax+grsec in both host and guest os?

Re: [gentoo-hardened] virtualization with gentoo hardened

[Michael Orlitzky]

Yiannis wrote:
> Hello,
> 
> I am running hardened gentoo with the toolchain provided by the
> xake-toolchain overlay. I am looking for a way to use virtualization
> with my current config. I am aware of linux-vserver project which has
> grsecurity integration, but as far as I remember does not play well
> with rbac. Anyone that has a similar working config?

I'm using KVM here under a similar setup with few issues. Occasionally 
the modules that ship with KVM will get out of sync with the ones 
provided by the hardened kernel, but that hasn't caused me any trouble 
in a while. And you can always use the modules that ship with KVM.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Yiannis]

On Sat, 08 Aug 2009 15:28:10 -0400
Michael Orlitzky <michael@orlitzky.com> wrote:

> Yiannis wrote:
> > Hello,
> > 
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
> 
> I'm using KVM here under a similar setup with few issues.
> Occasionally the modules that ship with KVM will get out of sync with
> the ones provided by the hardened kernel, but that hasn't caused me
> any trouble in a while. And you can always use the modules that ship
> with KVM.

kvm is not for me since I am running gentoo on a via vb7001 and on older
intel hardware without vt support. 

Re: [gentoo-hardened] virtualization with gentoo hardened

[basile]

On Sat, 2009-08-08 at 21:55 +0300, Yiannis wrote:
> On Sat, 08 Aug 2009 14:39:54 -0400
> basile <basile@opensource.dyc.edu> wrote:
> 
> > Yiannis wrote:
> > > Hello,
> > >
> > > I am running hardened gentoo with the toolchain provided by the
> > > xake-toolchain overlay. I am looking for a way to use virtualization
> > > with my current config. I am aware of linux-vserver project which
> > > has grsecurity integration, but as far as I remember does not play
> > > well with rbac. Anyone that has a similar working config?
> > >
> > > Regards
> > >
> > > Yiannis
> > >   
> > I run both i686 and amd64 as xen guests with the xake-toolchain
> > overlay and kernel hardened with grsec.  Is this what you want?
> > 
> 
> If host's kernel is hardened then yes this is the case. Are you running
> pax+grsec in both host and guest os?

No sorry, neither the kernel nor toolchain of the host are hardened.
I've never tried to harden a xen host, and I'm not sure what the issues
would be.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Yiannis]

On Sun, 09 Aug 2009 15:25:01 -0400
basile <basile@opensource.dyc.edu> wrote:

> On Sat, 2009-08-08 at 21:55 +0300, Yiannis wrote:
> > On Sat, 08 Aug 2009 14:39:54 -0400
> > basile <basile@opensource.dyc.edu> wrote:
> > 
> > > Yiannis wrote:
> > > > Hello,
> > > >
> > > > I am running hardened gentoo with the toolchain provided by the
> > > > xake-toolchain overlay. I am looking for a way to use
> > > > virtualization with my current config. I am aware of
> > > > linux-vserver project which has grsecurity integration, but as
> > > > far as I remember does not play well with rbac. Anyone that has
> > > > a similar working config?
> > > >
> > > > Regards
> > > >
> > > > Yiannis
> > > >   
> > > I run both i686 and amd64 as xen guests with the xake-toolchain
> > > overlay and kernel hardened with grsec.  Is this what you want?
> > > 
> > 
> > If host's kernel is hardened then yes this is the case. Are you
> > running pax+grsec in both host and guest os?
> 
> No sorry, neither the kernel nor toolchain of the host are hardened.
> I've never tried to harden a xen host, and I'm not sure what the
> issues would be.
> 
> 

So, if I get it right you are using xen-sources as a
host and hardened-sources(pax+grsec) on guest. If it is the case do you
know if it is possible to run this setup on a machine without vmx?
I see that all the ebuilds from the main tree are masked. Are you using
xen-sources from the overlay?
How secure is this setup considered? I mean having
the host os(xen-souces) only for running some instances of
hardened-gentoo as guests is it the same(almost?) as running them on
seperate physical pc's?

Re: [gentoo-hardened] virtualization with gentoo hardened

[Pavel Labushev]

> kvm is not for me since I am running gentoo on a via vb7001 and on older
> intel hardware without vt support. 

VMware Server 1.x should work on x86 host without KERNEXEC. At least
worked for me before I switched to KVM after 2.6.28.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Pavel Labushev]

> How secure is this setup considered? I mean having
> the host os(xen-souces) only for running some instances of
> hardened-gentoo as guests is it the same(almost?) as running them on
> seperate physical pc's? 

No, it's not the same and not almost the same. There were
vulnerabilities found in Xen already, and nobody can guarantee there are
no more of them.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Yiannis]

On Sat, 08 Aug 2009 15:28:10 -0400
Michael Orlitzky <michael@orlitzky.com> wrote:

> Yiannis wrote:
> > Hello,
> > 
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
> 
> I'm using KVM here under a similar setup with few issues.
> Occasionally the modules that ship with KVM will get out of sync with
> the ones provided by the hardened kernel, but that hasn't caused me
> any trouble in a while. And you can always use the modules that ship
> with KVM.

Can you plz elaborate on your setup? Is host & guest os
both using grsec+pax? Are you using the xake-toolchain? Any
drawbacks? This seems (to me) that is the most secure solution, and
maybe I should consider upgrading my pc.

Re: [gentoo-hardened] virtualization with gentoo hardened

[RB]

On Sun, Aug 9, 2009 at 16:58, Yiannis<yiannis@tolises.homeunix.org> wrote:
> Can you plz elaborate on your setup? Is host & guest os
> both using grsec+pax? Are you using the xake-toolchain? Any
> drawbacks? This seems (to me) that is the most secure solution, and
> maybe I should consider upgrading my pc.

I use this setup too, and there isn't much to elaborate on -
xake-toolchain, host is running grsec+pax, and I'm running various
guests (hardened thru OS X).  Having recently gone from a P-III setup
to a Phenom myself, it's completely worth it.  I've had a few
inexplicable guest crashes, but that's more probably due to running on
the bleeding edge than anything.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Michael Orlitzky]

Yiannis wrote:
> On Sat, 08 Aug 2009 15:28:10 -0400
> Michael Orlitzky <michael@orlitzky.com> wrote:
> 
>> Yiannis wrote:
>>> Hello,
>>>
>>> I am running hardened gentoo with the toolchain provided by the
>>> xake-toolchain overlay. I am looking for a way to use virtualization
>>> with my current config. I am aware of linux-vserver project which
>>> has grsecurity integration, but as far as I remember does not play
>>> well with rbac. Anyone that has a similar working config?
>> I'm using KVM here under a similar setup with few issues.
>> Occasionally the modules that ship with KVM will get out of sync with
>> the ones provided by the hardened kernel, but that hasn't caused me
>> any trouble in a while. And you can always use the modules that ship
>> with KVM.
> 
> Can you plz elaborate on your setup? Is host & guest os
> both using grsec+pax? Are you using the xake-toolchain? Any
> drawbacks? This seems (to me) that is the most secure solution, and
> maybe I should consider upgrading my pc.
> 

My hosts (mostly development machines, and a couple of servers) are all 
using grsec/PAX. The guests vary, but I do keep several hardened server 
images around for testing purposes which seem to work just as well as if 
they were running on bare metal.

The development machines all use the Xake toolchain, although I've never 
tried it in a guest. I don't imagine it would make much difference.

The management tools for KVM are fairly spartan -- I suppose that could 
  be either a pro or a con. Personally, I just need to be able to create 
images, snapshot them, and run them. KVM does that well, and doesn't 
require me to jump through hoops to do it (e.g. running a web server for 
the user interface).

Re: [gentoo-hardened] virtualization with gentoo hardened

[Ed W]

Yiannis wrote:
> Hello,
>
> I am running hardened gentoo with the toolchain provided by the
> xake-toolchain overlay. I am looking for a way to use virtualization
> with my current config. I am aware of linux-vserver project which has
> grsecurity integration, but as far as I remember does not play well
> with rbac. Anyone that has a similar working config?
>   

I use hardened host (2.6.29) with vserver.  Under this I run hardened 
guests.  All of these are old style hardened (gcc 3.4.6, not the new 
gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on 
gcc4.4.1 + hardened, so I think it's about time we had a push to try and 
get the hardened profile to shuffle along a bit...)

I am not currently using the RBAC features of grsec, but I don't 
immediately see a reason why they wouldn't work.... I guess it's 
possible they would need to be implemented in the host rather than the 
guest (which would feel a bit wierd), but it should still work I guess...

All other hardenings seem to work as advertised and generally speaking 
vserver is a nice lightweight, pseudo virtualisation which is often good 
enough for your needs... It's really just a slightly more fancy chroot 
system with some scripts around it and some additional hardening (and 
all the associated limitations).  Xen, etc are the way you want to go if 
you need full isolation.  However, vserver allows you to more neatly 
overcommit machine resources and has a number of other advantages

Good luck

Ed W

Re: [gentoo-hardened] virtualization with gentoo hardened

[Yiannis]

On Tue, 11 Aug 2009 16:55:18 +0100
Ed W <lists@wildgooses.com> wrote:

> Yiannis wrote:
> > Hello,
> >
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
> >   
> 
> I use hardened host (2.6.29) with vserver.  Under this I run hardened 
> guests.  All of these are old style hardened (gcc 3.4.6, not the new 
> gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on 
> gcc4.4.1 + hardened, so I think it's about time we had a push to try
> and get the hardened profile to shuffle along a bit...)
> 
> I am not currently using the RBAC features of grsec, but I don't 
> immediately see a reason why they wouldn't work.... I guess it's 
> possible they would need to be implemented in the host rather than
> the guest (which would feel a bit wierd), but it should still work I
> guess...
> 
> All other hardenings seem to work as advertised and generally
> speaking vserver is a nice lightweight, pseudo virtualisation which
> is often good enough for your needs... It's really just a slightly
> more fancy chroot system with some scripts around it and some
> additional hardening (and all the associated limitations).  Xen, etc
> are the way you want to go if you need full isolation.  However,
> vserver allows you to more neatly overcommit machine resources and
> has a number of other advantages
> 
> Good luck
> 
> Ed W

Hello Ed,

I used to have a box with the same setup as yours. As far as I remember
I had some difficulties on applying policies on guests from host. I
think I have seen an old patch on linux-vserver.org site for gradm
providing this functionality but it was posted some years ago.
It was abandoned and at a primitive state so I didn't bother trying it. 
The past two days I have been trying out lguest(with no luck yet) as an
alternative to kvm, since my pc's are not vt-x capable. The reason that
I prefer lguest(if it finally works) and kvm is that they are both in
mainline kernel, let alone the full isolation that you mentioned. While
googling a bit I read an article on ibm's site about linux containers
(LXC) which is supposed to finally land on the kernel. I think that this
might be worth trying as opposed to linux-vserver.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Pavel Labushev]

Yiannis пишет:

> (LXC) which is supposed to finally land on the kernel. I think that this
> might be worth trying as opposed to linux-vserver.

Unfortunately, Grsecurity's RBAC does not support per-cgroup role
assignment, the roles are all system-wide. So don't expect much from
RBAC with LXC.

Re: [gentoo-hardened] virtualization with gentoo hardened

[Ed W]

Yiannis wrote:
> While
> googling a bit I read an article on ibm's site about linux containers
> (LXC) which is supposed to finally land on the kernel. I think that this
> might be worth trying as opposed to linux-vserver.
>
>   


I don't really know all the in's and out's of this argument, but I would 
desire to have vserver push to integrate stuff upstream, but the main 
developer seems happy with the status quo and has had many knock backs 
previously.  As you point out, independently a bunch of people seem to 
be implementing substantially the same functionality, but without the 
prior history...  Shame we can't avoid the duplication of work here...

(One quite interesting patch included in the vserver kernel is a COW 
implementation of hardlink breaking.  This is interesting for a class of 
problems such as rsync style backups, or obviously for any kind of 
duplicated shared pools of files.  I would have thought this was an 
interesting feature to push upstream on it's own, but just to bring it 
to your attention in case it's useful for something else?)

Anyway, vserver is also a fairly developed wrapper around the 
containers, so hopefully any new stuff will absorbed into that project 
and gradually it's patch will become smaller, but it really is a 
terrific solution to a whole class of problems

Good luck

Ed W