[gentoo-hardened] Testing needed

[gentoo-hardened] Testing needed

[Anthony G. Basile]

Hi everyone,

I need to fast track stabilize hardened-sources-2.6.32-r30 and
hardened-sources-2.6.36-r5 because of a local root exploit on all
earlier kernels.  The ebuilds just hit the tree.

Can I get feedback on how those kernels fair on x86 and amd64 arches?  I
don't want to introduce new bugs that can be avoided.  I hope to mark
them stable in about one week.

Thanks.

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Testing needed

[dev-random]

o_O I don't see grsecurity there! Am I blind?

 .config - Linux Kernel v2.6.36-hardened-r5 Configuration                       
 ────────────────────────────────────────────────────────────────────────────── 
  ┌─────────────────────────── Security options ────────────────────────────┐   
  │  Arrow keys navigate the menu.  <Enter> selects submenus --->.          │   
  │  Highlighted letters are hotkeys.  Pressing <Y> includes, <N> excludes, │   
  │  <M> modularizes features.  Press <Esc><Esc> to exit, <?> for Help, </> │   
  │  for Search.  Legend: [*] built-in  [ ] excluded  <M> module  < >       │   
  │ ┌─────────────────────────────────────────────────────────────────────┐ │   
  │ │    -*- Enable access key retention support                          │ │   
  │ │    [*]   Enable the /proc/keys file by which keys may be viewed     │ │   
  │ │    [*] Enable different security models                             │ │   
  │ │    [ ] Enable the securityfs filesystem                             │ │   
  │ │    [*] Socket and Networking Security Hooks                         │ │   
  │ │    [ ]   XFRM (IPSec) Networking Security Hooks                     │ │   
  │ │    [ ] Security hooks for pathname based access control             │ │   
  │ │    [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)  │ │   
  │ │    [ ] NSA SELinux Support                                          │ │   
  │ │    [ ] Simplified Mandatory Access Control Kernel Support           │ │   
  │ │    [ ] TOMOYO Linux Support                                         │ │   
  │ │    [ ] AppArmor support (NEW)                                       │ │   
  │ │    [ ] Integrity Measurement Architecture(IMA)                      │ │   
  │ │        Default security module (Unix Discretionary Access Controls) │ │   
  │ │                                                                     │ │   
  │ │                                                                     │ │   
  │ │                                                                     │ │   
  │ └─────────────────────────────────────────────────────────────────────┘ │   
  ├─────────────────────────────────────────────────────────────────────────┤   
  │                    <Select>    < Exit >    < Help >                     │   
  └─────────────────────────────────────────────────────────────────────────┘   
                                                                                                                                                                

On Wed, Dec 08, 2010 at 11:37:28PM -0500, Anthony G. Basile wrote:
> Hi everyone,
> 
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels.  The ebuilds just hit the tree.
> 
> Can I get feedback on how those kernels fair on x86 and amd64 arches?  I
> don't want to introduce new bugs that can be avoided.  I hope to mark
> them stable in about one week.
> 
> Thanks.
> 
> -- 
> Anthony G. Basile, Ph.D.
> Gentoo Developer

Re: [gentoo-hardened] Testing needed

[dev-random]

Upd: all the hardened stuff seems to be commented out in ebuild!

Re: [gentoo-hardened] Testing needed

[klondike]

[-- Attachment #1: Type: text/plain, Size: 236 bytes --]

El 09/12/10 08:03, dev-random@mail.ru escribió:
> Upd: all the hardened stuff seems to be commented out in ebuild!
>
>
Same here, I'll try to post a new ebuild so we can do the trial with
proper instructions on how to run it :D


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 190 bytes --]

On 09/12/10 07:57, dev-random@mail.ru wrote:
> 
> o_O I don't see grsecurity there! Am I blind?
> 

Hi,

Confirmed for both kernel versions (on both arches).

--
Regards,
	Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[klondike]

[-- Attachment #1: Type: text/plain, Size: 384 bytes --]

El 09/12/10 09:33, Tom Hendrikx escribió:
> On 09/12/10 07:57, dev-random@mail.ru wrote:
>> o_O I don't see grsecurity there! Am I blind?
>>
> Hi,
>
> Confirmed for both kernel versions (on both arches).
>
2.6.32 too? OMFG!

Ok I opened bug #348238 to track the issue and will have working ebuilds
for 2.6.36 in half an hour tops, for 2.6.32 will take a bit more time.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[klondike]

[-- Attachment #1.1: Type: text/plain, Size: 609 bytes --]

Ok here is a small overlay to fix the trouble at least to me added grsec
and compiled, couldn't try booting still. Also blocks the bad kernels :D

Please remove it when bug 348238 is fixed. I'll notify it in this thread
anyway.

To make it run:
Extract it anywhere, I use /usr/local/portage/local-portage/:
mkdir -p
tar -xvzf fix_kernels.tgz /usr/local/portage/local-portage/

Add to your /etc/make.conf:
PORTDIR_OVERLAY="/usr/local/portage/local-portage/"

PD: I know I may not be following all the ebuild guidelines in the
overlay, sorry about that QA I'm still learning and this is urgent.

[-- Attachment #1.2: fix_kernels.tgz --]
[-- Type: application/x-gtar, Size: 20140 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[Anthony G. Basile]

On 12/09/2010 02:03 AM, dev-random@mail.ru wrote:
> 
> Upd: all the hardened stuff seems to be commented out in ebuild!
> 

I just fixed it in the tree.  Please resync in a few hours and test again.

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer

Re: [gentoo-hardened] Testing needed

[Alex Efros]

Hi!

On Wed, Dec 08, 2010 at 11:37:28PM -0500, Anthony G. Basile wrote:
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels.  The ebuilds just hit the tree.

While trying to build hardened-sources-2.6.36-r5 I notice it break
compatibility with:
    app-emulation/virtualbox-modules-3.1.8 
    app-emulation/vmware-modules-235 
    x11-drivers/nvidia-drivers-195.36.31 

All fail with similar errors related to 'ioctl' field like this one:
    vmmon-only/linux/driver.c:422: error:
    ‘struct file_operations’ does not contain element ‘ioctl’

So, probably some other versions of these packages has to be stabilized
together with .36 kernel. Keeping in mind there no stable .36 in
vanilla-sources or gentoo-sources yet…

-- 
			WBR, Alex.

Re: [gentoo-hardened] Testing needed

[klondike]

[-- Attachment #1: Type: text/plain, Size: 767 bytes --]

El 09/12/10 05:37, Anthony G. Basile escribió:
> Hi everyone,
>
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels.  The ebuilds just hit the tree.
>
> Can I get feedback on how those kernels fair on x86 and amd64 arches?  I
> don't want to introduce new bugs that can be avoided.  I hope to mark
> them stable in about one week.
>
> Thanks
Well for the record, the bug #348238 has been closed and the changes
corrected and propagated, all those of you using the micro overlay to
solve the problem should delete it and fallaback to the 2.6.36-r5 and
2.6.32-r30 kernels (after checking they apply the grsec patches).

Thanks for your uderstanding.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[klondike]

[-- Attachment #1.1: Type: text/plain, Size: 425 bytes --]

El 09/12/10 05:37, Anthony G. Basile escribió:
> Can I get feedback on how those kernels fair on x86 and amd64 arches?  I
> don't want to introduce new bugs that can be avoided.  I hope to mark
> them stable in about one week.

Both, 2.6.32-r30 and 2.6.36-r5 compile, boot and seem to run on my AMD64.


I'll keep testing 2.6.36-r5 and report is issues appear :D

PD: Again, no more stressful mornings please :P


[-- Attachment #1.2: Type: text/html, Size: 1284 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[Alex Efros]

Hi!

I've successfully compiled and boot 2.6.36-hardened-r5 on X86 with this
in /etc/portage/package.keywords:
    =app-emulation/vmware-modules-238.3
    =app-emulation/vmware-workstation-7.1.3.324285
    =x11-libs/libview-0.6.6
    =x11-drivers/nvidia-drivers-260.19.26
    =media-video/nvidia-settings-256.52

Everything works fine, but I notice new errors (probably harmless) in
kernel log on each VMware guest OS start:

2010-12-09_20:06:42.20788 kern.alert: grsec: Illegal instruction occurred at 08151ab6 in /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-vmx:8858] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/runit[runit:1] uid/euid:0/0 gid/egid:0/0
2010-12-09_20:06:42.20792 kern.alert: grsec: Segmentation fault occurred at (nil) in /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-vmx:8858] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/runit[runit:1] uid/euid:0/0 gid/egid:0/0
2010-12-09_20:06:42.20793 kern.debug: /dev/vmmon[8858]: PTSC: initialized at 2400008000 Hz using TSC

-- 
			WBR, Alex.

Re: [gentoo-hardened] Testing needed

[Tom Hendrikx]

[-- Attachment #1: Type: text/plain, Size: 373 bytes --]

On 09/12/10 12:15, Anthony G. Basile wrote:
> On 12/09/2010 02:03 AM, dev-random@mail.ru wrote:
>>
>> Upd: all the hardened stuff seems to be commented out in ebuild!
>>
> 
> I just fixed it in the tree.  Please resync in a few hours and test again.
> 

I have both kernels running since previous weekend (so 9+ days) without
any issues.

--
Regards,
	Tom


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

Re: [gentoo-hardened] Testing needed

[Anthony G. Basile]

On 12/21/2010 05:59 AM, Tom Hendrikx wrote:
> On 09/12/10 12:15, Anthony G. Basile wrote:
>> On 12/09/2010 02:03 AM, dev-random@mail.ru wrote:
>>>
>>> Upd: all the hardened stuff seems to be commented out in ebuild!
>>>
>>
>> I just fixed it in the tree.  Please resync in a few hours and test again.
>>
> 
> I have both kernels running since previous weekend (so 9+ days) without
> any issues.
> 
> --
> Regards,
> 	Tom
> 

Thanks, I just stabilized hardened-sources-2.6.32-r31 and
hardened-sources-2.6.36-r6 which are almost identical to the ones tested.

-- 
Anthony G. Basile, Ph.D.
Gentoo Developer