* [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
@ 2011-01-25 12:26 Anthony G. Basile
2011-01-25 14:19 ` Thomas Sachau
0 siblings, 1 reply; 7+ messages in thread
From: Anthony G. Basile @ 2011-01-25 12:26 UTC (permalink / raw
To: gentoo-hardened
Hi hardened users,
Currently, when configuring the hardened kernel, the user is presented
with some predefined Security Levels. (Security options -> Grsecuirty
-> Security Level). Four of these are set by Gentoo
Hardened Gentoo [server]
Hardened Gentoo [server no rbac]
Hardened Gentoo [workstation]
Hardened Gentoo [workstation no rbac]
These are defined so as to maximize security while minimizing breakage
with Gentoo software. I'm proposing to change this to
Hardened Gentoo [server]
Hardened Gentoo [workstation or virtualization host]
One change will be to remove the "no rbac" option which is easily turned
on/off at Security options -> Grsecuirty -> Role Based Access Control
Options -> Disable RBAC system. The default will be on (ie do not
disable rbac). Even if the users doesn't want to use RBAC and still
enables it, there is no harm done since RBAC simply be available but not
used unless turned on by gradm.
The other change will be to add a "virtualization host" option.
Currently these settings are identical to the workstation and so are
coalesced, but may change. I am trying to make the hardened kernel
compatible with VirtualBox and kvm, but there are some security settings
which will most likely *always* break virtualization and will need to be
turned off.
This is work in progress and testing is appreciated. The ebuilds are on
my overlay.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
2011-01-25 12:26 [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings Anthony G. Basile
@ 2011-01-25 14:19 ` Thomas Sachau
2011-01-25 15:14 ` Pavel Labushev
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Thomas Sachau @ 2011-01-25 14:19 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 2275 bytes --]
Am 25.01.2011 13:26, schrieb Anthony G. Basile:
> Hi hardened users,
>
> Currently, when configuring the hardened kernel, the user is presented
> with some predefined Security Levels. (Security options -> Grsecuirty
> -> Security Level). Four of these are set by Gentoo
>
> Hardened Gentoo [server]
> Hardened Gentoo [server no rbac]
> Hardened Gentoo [workstation]
> Hardened Gentoo [workstation no rbac]
>
> These are defined so as to maximize security while minimizing breakage
> with Gentoo software. I'm proposing to change this to
>
> Hardened Gentoo [server]
> Hardened Gentoo [workstation or virtualization host]
>
> One change will be to remove the "no rbac" option which is easily turned
> on/off at Security options -> Grsecuirty -> Role Based Access Control
> Options -> Disable RBAC system. The default will be on (ie do not
> disable rbac). Even if the users doesn't want to use RBAC and still
> enables it, there is no harm done since RBAC simply be available but not
> used unless turned on by gradm.
>
> The other change will be to add a "virtualization host" option.
> Currently these settings are identical to the workstation and so are
> coalesced, but may change. I am trying to make the hardened kernel
> compatible with VirtualBox and kvm, but there are some security settings
> which will most likely *always* break virtualization and will need to be
> turned off.
>
> This is work in progress and testing is appreciated. The ebuilds are on
> my overlay.
>
>
My suggestion, as talked about in IRC:
server profile with UDEREF and KERNEXEC forced on
workstation profile with UDEREF and KERNEXEC default enabled
virtualization profile with UDEREF and KERNEXEC default disabled
While virtualbox and kvm currently have issues with both options, this may change in the future. To
be able to easily test it, those options should not be forced off, but default disabled.
Since most other apps for workstations should work with both options, they should be default
enabled. Since there might be some special issue with some specific desktop app, it should be able
to disable those options, so not forced on for them.
--
Thomas Sachau
Gentoo Linux Developer
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 316 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
2011-01-25 14:19 ` Thomas Sachau
@ 2011-01-25 15:14 ` Pavel Labushev
2011-01-25 15:16 ` Pavel Labushev
2011-01-25 16:20 ` Marcel Meyer
2011-02-21 18:20 ` Anthony G. Basile
2 siblings, 1 reply; 7+ messages in thread
From: Pavel Labushev @ 2011-01-25 15:14 UTC (permalink / raw
To: gentoo-hardened
25.01.2011 21:19, Thomas Sachau пишет:
> virtualization profile with UDEREF and KERNEXEC default disabled
KVM works fine on x86 with both UDEREF and KERNEXEC enabled, and I've been
explicitly told by some people that they run KVM host with KERNEXEC enabled
on x86_64 without any slowdown. Seems like issues are CPU arch/vendor
dependant here.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
2011-01-25 15:14 ` Pavel Labushev
@ 2011-01-25 15:16 ` Pavel Labushev
0 siblings, 0 replies; 7+ messages in thread
From: Pavel Labushev @ 2011-01-25 15:16 UTC (permalink / raw
To: gentoo-hardened
25.01.2011 22:14, Pavel Labushev пишет:
> KVM works fine on x86 with both UDEREF and KERNEXEC enabled, and I've been
Forgot to add: on AMD CPUs. I didn't test Intel's.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
2011-01-25 14:19 ` Thomas Sachau
2011-01-25 15:14 ` Pavel Labushev
@ 2011-01-25 16:20 ` Marcel Meyer
2011-01-31 6:55 ` Nao Nakashima
2011-02-21 18:20 ` Anthony G. Basile
2 siblings, 1 reply; 7+ messages in thread
From: Marcel Meyer @ 2011-01-25 16:20 UTC (permalink / raw
To: gentoo-hardened
Hi!
On Tuesday 25 January 2011 15:19:55 Thomas Sachau wrote:
> Am 25.01.2011 13:26, schrieb Anthony G. Basile:
> server profile with UDEREF and KERNEXEC forced on
> workstation profile with UDEREF and KERNEXEC default enabled
> virtualization profile with UDEREF and KERNEXEC default disabled
>
> While virtualbox and kvm currently have issues with both options, this may
> change in the future. To be able to easily test it, those options should
> not be forced off, but default disabled.
Is this also true for XEN-based PV hosts?
Thanks,
Marcel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
2011-01-25 16:20 ` Marcel Meyer
@ 2011-01-31 6:55 ` Nao Nakashima
0 siblings, 0 replies; 7+ messages in thread
From: Nao Nakashima @ 2011-01-31 6:55 UTC (permalink / raw
To: gentoo-hardened
On Tue, Jan 25, 2011 at 9:20 PM, Marcel Meyer <meyerm@fs.tum.de> wrote:
> Is this also true for XEN-based PV hosts?
Here is the link to related bug:
http://bugs.gentoo.org/show_bug.cgi?id=279795
I have a XEN VPS with hardened gentoo. Kernel doesn`t boot with
KERNEXEC enabled.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings
2011-01-25 14:19 ` Thomas Sachau
2011-01-25 15:14 ` Pavel Labushev
2011-01-25 16:20 ` Marcel Meyer
@ 2011-02-21 18:20 ` Anthony G. Basile
2 siblings, 0 replies; 7+ messages in thread
From: Anthony G. Basile @ 2011-02-21 18:20 UTC (permalink / raw
To: gentoo-hardened
On 01/25/2011 09:19 AM, Thomas Sachau wrote:
> Am 25.01.2011 13:26, schrieb Anthony G. Basile:
>> Hi hardened users,
>>
>> Currently, when configuring the hardened kernel, the user is presented
>> with some predefined Security Levels. (Security options -> Grsecuirty
>> -> Security Level). Four of these are set by Gentoo
>>
>> Hardened Gentoo [server]
>> Hardened Gentoo [server no rbac]
>> Hardened Gentoo [workstation]
>> Hardened Gentoo [workstation no rbac]
>>
>> These are defined so as to maximize security while minimizing breakage
>> with Gentoo software. I'm proposing to change this to
>>
>> Hardened Gentoo [server]
>> Hardened Gentoo [workstation or virtualization host]
>>
>> One change will be to remove the "no rbac" option which is easily turned
>> on/off at Security options -> Grsecuirty -> Role Based Access Control
>> Options -> Disable RBAC system. The default will be on (ie do not
>> disable rbac). Even if the users doesn't want to use RBAC and still
>> enables it, there is no harm done since RBAC simply be available but not
>> used unless turned on by gradm.
>>
>> The other change will be to add a "virtualization host" option.
>> Currently these settings are identical to the workstation and so are
>> coalesced, but may change. I am trying to make the hardened kernel
>> compatible with VirtualBox and kvm, but there are some security settings
>> which will most likely *always* break virtualization and will need to be
>> turned off.
>>
>> This is work in progress and testing is appreciated. The ebuilds are on
>> my overlay.
>>
>>
>
> My suggestion, as talked about in IRC:
>
> server profile with UDEREF and KERNEXEC forced on
> workstation profile with UDEREF and KERNEXEC default enabled
> virtualization profile with UDEREF and KERNEXEC default disabled
>
> While virtualbox and kvm currently have issues with both options, this may change in the future. To
> be able to easily test it, those options should not be forced off, but default disabled.
>
> Since most other apps for workstations should work with both options, they should be default
> enabled. Since there might be some special issue with some specific desktop app, it should be able
> to disable those options, so not forced on for them.
>
Hi everyone, its been a while since I visited this issue, but I've
finally made the change. Its still experimental, but preliminary
testing shows that nothing is broken. Hopefully it will also be useful.
Currently, the following ebuilds have the same codebase
hardened-sources-2.6.37-r2 <-> hardened-sources-2.6.37-r3
hardened-sources-2.6.32-r37 <-> hardened-sources-2.6.32-r38
The only difference is the higher rev number has the new predefined
GRSEC/PaX settings.
Please test and let me know.
--
Anthony G. Basile, Ph.D.
Gentoo Developer
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2011-02-21 18:22 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-25 12:26 [gentoo-hardened] Proposed changes to predefined Hardened Gentoo WORKSTATION and SERVER settings Anthony G. Basile
2011-01-25 14:19 ` Thomas Sachau
2011-01-25 15:14 ` Pavel Labushev
2011-01-25 15:16 ` Pavel Labushev
2011-01-25 16:20 ` Marcel Meyer
2011-01-31 6:55 ` Nao Nakashima
2011-02-21 18:20 ` Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox