Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hardened + ck patchsets = ?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1942
Location: Zurich, Switzerland

PostPosted: Mon Jan 14, 2013 2:47 pm    Post subject: hardened + ck patchsets = ? Reply with quote

Dear All,

I recently came up with the 'stupid' idea of combining the hardened patchset (as available via portage) with the ck patchset (taken of con kolivas' page).
As both sets patch the same part of the kernel source, a little handy work is necessary to get all patches to apply cleanly.
(no, there is no ebuild available)

I haven't done any benchmark tests, but IMO the kernel feels faster and more responsive than a plain hardened kernel.


how bad is that combination?
ck focuses on interactivity, while hardened focuses on security: do the work well together or am I trying to move into opposite directions?


This is not a support question, but I'd like to hear some additional opinions.


V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Mon Jan 14, 2013 2:58 pm    Post subject: Re: hardened + ck patchsets = ? Reply with quote

Veldrin wrote:
opinions

I would call "hardened" overkill. I chose AppArmor instead.
Back to top
View user's profile Send private message
aCOSwt
Moderator
Moderator


Joined: 19 Oct 2007
Posts: 2537
Location: Hilbert space

PostPosted: Mon Jan 14, 2013 3:02 pm    Post subject: Reply with quote

Hmmm... the idea is not stupid... a priori!
blueness also played that sort of game some time ago : http://archives.gentoo.org/gentoo-hardened/msg_925f75467534309229c3921d6963837b.xml
Might be interesting to ask him why he stopped immediately after his first try though.

EDIT : Oh, BTW, I, personally would have done things just... the other way round. :twisted:
_________________
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1942
Location: Zurich, Switzerland

PostPosted: Mon Jan 14, 2013 4:23 pm    Post subject: Reply with quote

Quote:
I would call "hardened" overkill. I chose AppArmor instead.

I thought AppArmor was to protect 'server' services, and not for desktop/notebook environments.
I did not mention it, but I run that kernel on my desktop and notebook. I do not see any advantage in running it on my server.

On the other hand, I mainly/only use the PaX part of hardened. I gave some tries to grsec, but I would never work. I guess I have not tried hard enough.

How well is AppArmor supported/developed nowadays?
the last time i check (a few months back) it seemed rather quiet, if not already dead.

OTOH, pax/grsec is also in maintenance only mode.

Quote:
EDIT : Oh, BTW, I, personally would have done things just... the other way round. :twisted:

What do you mean by the other way around? Started with CK-Sources and applied hardened on top?


If I find some time, I might poke blueness about it. From the post, it seems that he wanted to add BFS-only (and not the entire patchset), but exactly the BFS part is troublesome.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Mon Jan 14, 2013 5:15 pm    Post subject: Reply with quote

Veldrin wrote:
not for desktop/notebook environments

Lolwut? :lol: AppArmor is installed and active by default in Ubuntu (including protection for java in firefox), and I think in Opensuse also. Most Ubuntu users probably don't even notice it.

Setting up custom, tight profiles for e.g. firefox and evolution gives me a warm fuzzy feeling of protectedness. Especially with the recent java exploit.
Back to top
View user's profile Send private message
init_6
Apprentice
Apprentice


Joined: 22 Jun 2008
Posts: 166

PostPosted: Mon Jan 14, 2013 5:26 pm    Post subject: Reply with quote

Quote:
no, there is no ebuild available


As part of sys-kernel/geek-sources is not only ck, grsecurity/hardened patchset… And there is wiki
Back to top
View user's profile Send private message
init_6
Apprentice
Apprentice


Joined: 22 Jun 2008
Posts: 166

PostPosted: Mon Jan 14, 2013 5:37 pm    Post subject: Reply with quote

…unfortunately last 4420_grsecurity-2.9.1-3.7.1-201301041854.patch not normally applied to the 3.7.2

and vanilla ck & grsecurity can also conflict
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1942
Location: Zurich, Switzerland

PostPosted: Tue Jan 15, 2013 8:52 am    Post subject: Reply with quote

PaulBredbury wrote:
Veldrin wrote:
not for desktop/notebook environments

Lolwut? :lol: AppArmor is installed and active by default in Ubuntu (including protection for java in firefox), and I think in Opensuse also. Most Ubuntu users probably don't even notice it.

Setting up custom, tight profiles for e.g. firefox and evolution gives me a warm fuzzy feeling of protectedness. Especially with the recent java exploit.
I take every thing back, and state the opposite.
Is there any good documentation on how to configure that java protection on firefox? Or some other 'Office Applications' if applicable/usable?


@init_6: I forgot about the custom patchsets. Although I do not like heavily patched kernel sources (IMO/IME they tend to be unstable), the geek-sources look intriguing.

V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
init_6
Apprentice
Apprentice


Joined: 22 Jun 2008
Posts: 166

PostPosted: Tue Jan 15, 2013 11:07 am    Post subject: Reply with quote

Veldrin wrote:
@init_6: I forgot about the custom patchsets. Although I do not like heavily patched kernel sources (IMO/IME they tend to be unstable), the geek-sources look intriguing.


I played a little with 3.7.1… so

Code:
# set grsecurity first in order
> echo 'GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch"' > /etc/portage/kernel.conf


1) GrSecurity+bfq
Code:
> USE="bfq grsecurity" ebuild geek-sources-3.7.1.ebuild compile
 * linux-3.7.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                               [ ok ]
 * patch-3.7.1.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                                 [ ok ]
>>> Unpacking source...
 * Extract the sources ...                                                                                             [ ok ]

 * Update to latest upstream ...
 * Applying patch-3.7.1.xz ...                                                                                         [ ok ]
>>> Source unpacked in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work
>>> Preparing source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
 * Use GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch" from /etc/portage/kernel.conf

 Generated by patch_maker.sh script v-0.5
 Grabbed on 2013-01-15 12:06:54 EET
 url: git://git.overlays.gentoo.org/proj/hardened-patchset.git
 local branch: master
 tracking branch: refs/heads/master
 tracking remote: origin

 * GrSecurity patches - http://grsecurity.net http://www.gentoo.org/proj/en/hardened
 * Applying 4420_grsecurity-2.9.1-3.7.1-201301041854.patch ...                                                         [ ok ]
 * Applying 4425_grsec_remove_EI_PAX.patch ...                                                                         [ ok ]
 * Applying 4430_grsec-remove-localversion-grsec.patch ...
 * Skipping empty patch --> 4430_grsec-remove-localversion-grsec.patch                                                 [ ok ]
 * Applying 4435_grsec-mute-warnings.patch ...                                                                         [ ok ]
 * Applying 4440_grsec-remove-protected-paths.patch ...                                                                [ ok ]
 * Applying 4450_grsec-kconfig-default-gids.patch ...                                                                  [ ok ]
 * Applying 4465_selinux-avc_audit-log-curr_ip.patch ...                                                               [ ok ]
 * Applying 4470_disable-compat_vdso.patch ...                                                                         [ ok ]

 Generated by patch_maker.sh script v-0.5
 Grabbed on 2013-01-09 10:58:53 EET
 From: http://algo.ing.unimo.it/people/paolo/disk_sched/patches/3.7.0-v5r1

 * Budget Fair Queueing Budget I/O Scheduler - http://algo.ing.unimo.it/people/paolo/disk_sched/
 * Applying 0001-block-cgroups-kconfig-build-bits-for-BFQ-v5r1-3.7.patch ...                                           [ ok ]
 * Applying 0002-block-introduce-the-BFQ-v5r1-I-O-sched-for-3.7.patch ...                                              [ ok ]

acpi-ec-add-delay-before-write.patch Oops: ACPI: EC: input buffer is not empty, aborting transaction - 2.6.32 regression https://bugzilla.kernel.org/show_bug.cgi?id=14733#c41
nouveau_therm_alarms-3.7.patch thx ROKO__! from https://gitorious.org/linux-nouveau-pm/linux-nouveau-pm/commits/thermal
3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch fix dvb issues see: http://forum.manjaro.org/index.php?topic=1108.0
3.7.0-fat.patch fix cosmetic fat issue https://bugs.archlinux.org/task/32916
3.7.1-watchdog-fix-disable-enable-regression.patch fix watchdog enable/disable regression https://bugs.archlinux.org/task/33095
kernel-37-gcc47-1.patch.gz Patch source to enable more gcc CPU optimizatons via the make nconfig http://repo-ck.com/source/gcc_patch/kernel-37-gcc47-1.patch.gz

 * Fixes for current kernel
 * Applying acpi-ec-add-delay-before-write.patch ...                                                                   [ ok ]
 * Applying nouveau_therm_alarms-3.7.patch ...                                                                         [ ok ]
 * Applying 3.7.0-fat.patch ...                                                                                        [ ok ]
 * Applying 3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch ...                                    [ ok ]
 * Applying 3.7.1-watchdog-fix-disable-enable-regression.patch ...                                                     [ ok ]
 * Applying kernel-37-gcc47-1.patch.gz ...
 * Skipping patch --> kernel-37-gcc47-1.patch.gz                                                                       [ ok ]
 * Set extraversion in Makefile
 * Copy current config from /proc
 * Cleanup backups after patching
 * Compile gen_init_cpio
make: Entering directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
cc -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -Wl,-O1 -Wl,--as-needed -Wl,--warn-once -Wl,--hash-style=gnu  gen_init_cpio.c   -o gen_init_cpio
make: Leaving directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
 * kernel: >> Running oldconfig... ...                                                                                 [ ok ]
 * kernel: >> Running modules_prepare... ...                                                                           [ ok ]

 * Live long and prosper.

>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source compiled.


2) GrSecurity+ck
Code:
> USE="ck grsecurity" ebuild geek-sources-3.7.1.ebuild compile
 * linux-3.7.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                               [ ok ]
 * patch-3.7.1.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                                 [ ok ]
 * patch-3.7-ck1.lrz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                              [ ok ]
>>> Unpacking source...
 * Extract the sources ...                                                                                             [ ok ]

 * Update to latest upstream ...
 * Applying patch-3.7.1.xz ...                                                                                         [ ok ]
>>> Source unpacked in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work
>>> Preparing source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
 * Use GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch" from /etc/portage/kernel.conf

 Generated by patch_maker.sh script v-0.5
 Grabbed on 2013-01-15 12:06:54 EET
 url: git://git.overlays.gentoo.org/proj/hardened-patchset.git
 local branch: master
 tracking branch: refs/heads/master
 tracking remote: origin

 * GrSecurity patches - http://grsecurity.net http://www.gentoo.org/proj/en/hardened
 * Applying 4420_grsecurity-2.9.1-3.7.1-201301041854.patch ...                                                         [ ok ]
 * Applying 4425_grsec_remove_EI_PAX.patch ...                                                                         [ ok ]
 * Applying 4430_grsec-remove-localversion-grsec.patch ...
 * Skipping empty patch --> 4430_grsec-remove-localversion-grsec.patch                                                 [ ok ]
 * Applying 4435_grsec-mute-warnings.patch ...                                                                         [ ok ]
 * Applying 4440_grsec-remove-protected-paths.patch ...                                                                [ ok ]
 * Applying 4450_grsec-kconfig-default-gids.patch ...                                                                  [ ok ]
 * Applying 4465_selinux-avc_audit-log-curr_ip.patch ...                                                               [ ok ]
 * Applying 4470_disable-compat_vdso.patch ...                                                                         [ ok ]

 * Con Kolivas high performance patchset - http://users.on.net/~ckolivas/kernel
 * Applying patch-3.7-ck1.lrz ...
 * Skipping patch --> patch-3.7-ck1.lrz                                                                                [ ok ]

acpi-ec-add-delay-before-write.patch Oops: ACPI: EC: input buffer is not empty, aborting transaction - 2.6.32 regression https://bugzilla.kernel.org/show_bug.cgi?id=14733#c41
nouveau_therm_alarms-3.7.patch thx ROKO__! from https://gitorious.org/linux-nouveau-pm/linux-nouveau-pm/commits/thermal
3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch fix dvb issues see: http://forum.manjaro.org/index.php?topic=1108.0
3.7.0-fat.patch fix cosmetic fat issue https://bugs.archlinux.org/task/32916
3.7.1-watchdog-fix-disable-enable-regression.patch fix watchdog enable/disable regression https://bugs.archlinux.org/task/33095
kernel-37-gcc47-1.patch.gz Patch source to enable more gcc CPU optimizatons via the make nconfig http://repo-ck.com/source/gcc_patch/kernel-37-gcc47-1.patch.gz

 * Fixes for current kernel
 * Applying acpi-ec-add-delay-before-write.patch ...                                                                   [ ok ]
 * Applying nouveau_therm_alarms-3.7.patch ...                                                                         [ ok ]
 * Applying 3.7.0-fat.patch ...                                                                                        [ ok ]
 * Applying 3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch ...                                    [ ok ]
 * Applying 3.7.1-watchdog-fix-disable-enable-regression.patch ...                                                     [ ok ]
 * Applying kernel-37-gcc47-1.patch.gz ...
 * Skipping patch --> kernel-37-gcc47-1.patch.gz                                                                       [ ok ]
 * Set extraversion in Makefile
 * Copy current config from /proc
 * Cleanup backups after patching
 * Compile gen_init_cpio
make: Entering directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
cc -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -Wl,-O1 -Wl,--as-needed -Wl,--warn-once -Wl,--hash-style=gnu  gen_init_cpio.c   -o gen_init_cpio
make: Leaving directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
 * kernel: >> Running oldconfig... ...                                                                                 [ ok ]
 * kernel: >> Running modules_prepare... ...                                                                           [ ok ]

 * Live long and prosper.

>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source compiled.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Jan 15, 2013 11:12 am    Post subject: Reply with quote

After you've installed AppArmor:
Code:
man apparmor.d

And look at all the examples in /etc/apparmor.d/
Back to top
View user's profile Send private message
init_6
Apprentice
Apprentice


Joined: 22 Jun 2008
Posts: 166

PostPosted: Tue Jan 15, 2013 11:12 am    Post subject: Reply with quote

3) GrSecurity+all
http://pastebin.com/pwDxjNPa

As you can see GrSecurity not compatible only with the CK and uksm. And I have not tried to build or use.
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1942
Location: Zurich, Switzerland

PostPosted: Tue Jan 15, 2013 11:33 am    Post subject: Reply with quote

PaulBredbury wrote:
After you've installed AppArmor:
Code:
man apparmor.d

And look at all the examples in /etc/apparmor.d/

I seem to be missing the example profiles.
at least if i emerge apparmor-utils (which pulls in the rest), /etc/apparmor.d is empty.
I unpacked them directly from the tarball, so I can get at least some parts working.

I am lazy, therefore I try to borrow as many parts as possible form apparmor.net and/or ubuntu.


I am getting the following error on booting a kernel with apparmor enabled (3.7.1 + hardened + ck).
Code:
root@belshirash ~ # aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.
root@belshirash security # /etc/init.d/apparmor start
 * Starting apparmor ...
grep: /proc/modules: No such file or directory
 *   apparmor compatibility is not present in the kernel                                                                                   [ !! ]
 * ERROR: apparmor failed to start

To be honest, I have not configured much, so I may be, that I have missed some important part. any hint would be nice.

NB: I am running a complete monolithic kernel - module support has been completely disabled!


@init_6: Thanks again for the brief tests.
I guess I have to add another overlay - *sigh*


V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Jan 15, 2013 11:36 am    Post subject: Reply with quote

When you compile apparmor, use e.g.:
Code:
  pushd . &&
  cd profiles &&
  make &&
  make install &&
  popd


Compile firefox with this patch, so the /usr/lib/ dirname doesn't change.
Back to top
View user's profile Send private message
init_6
Apprentice
Apprentice


Joined: 22 Jun 2008
Posts: 166

PostPosted: Tue Jan 15, 2013 11:44 am    Post subject: Reply with quote

Veldrin wrote:
@init_6: Thanks again for the brief tests.
I guess I have to add another overlay - *sigh*


If you need GrSecurity with ck then you have to fix yourself GrSecurity or ck… Others overlays will not help
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum