View previous topic :: View next topic |
Author |
Message |
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Mon Jan 14, 2013 2:47 pm Post subject: hardened + ck patchsets = ? |
|
|
Dear All,
I recently came up with the 'stupid' idea of combining the hardened patchset (as available via portage) with the ck patchset (taken of con kolivas' page).
As both sets patch the same part of the kernel source, a little handy work is necessary to get all patches to apply cleanly.
(no, there is no ebuild available)
I haven't done any benchmark tests, but IMO the kernel feels faster and more responsive than a plain hardened kernel.
how bad is that combination?
ck focuses on interactivity, while hardened focuses on security: do the work well together or am I trying to move into opposite directions?
This is not a support question, but I'd like to hear some additional opinions.
V. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Mon Jan 14, 2013 2:58 pm Post subject: Re: hardened + ck patchsets = ? |
|
|
I would call "hardened" overkill. I chose AppArmor instead. |
|
Back to top |
|
|
aCOSwt Bodhisattva
Joined: 19 Oct 2007 Posts: 2537 Location: Hilbert space
|
Posted: Mon Jan 14, 2013 3:02 pm Post subject: |
|
|
Hmmm... the idea is not stupid... a priori!
blueness also played that sort of game some time ago : http://archives.gentoo.org/gentoo-hardened/msg_925f75467534309229c3921d6963837b.xml
Might be interesting to ask him why he stopped immediately after his first try though.
EDIT : Oh, BTW, I, personally would have done things just... the other way round. _________________
|
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Mon Jan 14, 2013 4:23 pm Post subject: |
|
|
Quote: | I would call "hardened" overkill. I chose AppArmor instead. |
I thought AppArmor was to protect 'server' services, and not for desktop/notebook environments.
I did not mention it, but I run that kernel on my desktop and notebook. I do not see any advantage in running it on my server.
On the other hand, I mainly/only use the PaX part of hardened. I gave some tries to grsec, but I would never work. I guess I have not tried hard enough.
How well is AppArmor supported/developed nowadays?
the last time i check (a few months back) it seemed rather quiet, if not already dead.
OTOH, pax/grsec is also in maintenance only mode.
Quote: | EDIT : Oh, BTW, I, personally would have done things just... the other way round. |
What do you mean by the other way around? Started with CK-Sources and applied hardened on top?
If I find some time, I might poke blueness about it. From the post, it seems that he wanted to add BFS-only (and not the entire patchset), but exactly the BFS part is troublesome. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Mon Jan 14, 2013 5:15 pm Post subject: |
|
|
Veldrin wrote: | not for desktop/notebook environments |
Lolwut? AppArmor is installed and active by default in Ubuntu (including protection for java in firefox), and I think in Opensuse also. Most Ubuntu users probably don't even notice it.
Setting up custom, tight profiles for e.g. firefox and evolution gives me a warm fuzzy feeling of protectedness. Especially with the recent java exploit. |
|
Back to top |
|
|
188562 Apprentice
Joined: 22 Jun 2008 Posts: 186
|
|
Back to top |
|
|
188562 Apprentice
Joined: 22 Jun 2008 Posts: 186
|
Posted: Mon Jan 14, 2013 5:37 pm Post subject: |
|
|
…unfortunately last 4420_grsecurity-2.9.1-3.7.1-201301041854.patch not normally applied to the 3.7.2
and vanilla ck & grsecurity can also conflict |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Tue Jan 15, 2013 8:52 am Post subject: |
|
|
PaulBredbury wrote: | Veldrin wrote: | not for desktop/notebook environments |
Lolwut? AppArmor is installed and active by default in Ubuntu (including protection for java in firefox), and I think in Opensuse also. Most Ubuntu users probably don't even notice it.
Setting up custom, tight profiles for e.g. firefox and evolution gives me a warm fuzzy feeling of protectedness. Especially with the recent java exploit. | I take every thing back, and state the opposite.
Is there any good documentation on how to configure that java protection on firefox? Or some other 'Office Applications' if applicable/usable?
@init_6: I forgot about the custom patchsets. Although I do not like heavily patched kernel sources (IMO/IME they tend to be unstable), the geek-sources look intriguing.
V. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
188562 Apprentice
Joined: 22 Jun 2008 Posts: 186
|
Posted: Tue Jan 15, 2013 11:07 am Post subject: |
|
|
Veldrin wrote: | @init_6: I forgot about the custom patchsets. Although I do not like heavily patched kernel sources (IMO/IME they tend to be unstable), the geek-sources look intriguing. |
I played a little with 3.7.1… so
Code: | # set grsecurity first in order
> echo 'GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch"' > /etc/portage/kernel.conf |
1) GrSecurity+bfq
Code: | > USE="bfq grsecurity" ebuild geek-sources-3.7.1.ebuild compile
* linux-3.7.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
* patch-3.7.1.xz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
>>> Unpacking source...
* Extract the sources ... [ ok ]
* Update to latest upstream ...
* Applying patch-3.7.1.xz ... [ ok ]
>>> Source unpacked in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work
>>> Preparing source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
* Use GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch" from /etc/portage/kernel.conf
Generated by patch_maker.sh script v-0.5
Grabbed on 2013-01-15 12:06:54 EET
url: git://git.overlays.gentoo.org/proj/hardened-patchset.git
local branch: master
tracking branch: refs/heads/master
tracking remote: origin
* GrSecurity patches - http://grsecurity.net http://www.gentoo.org/proj/en/hardened
* Applying 4420_grsecurity-2.9.1-3.7.1-201301041854.patch ... [ ok ]
* Applying 4425_grsec_remove_EI_PAX.patch ... [ ok ]
* Applying 4430_grsec-remove-localversion-grsec.patch ...
* Skipping empty patch --> 4430_grsec-remove-localversion-grsec.patch [ ok ]
* Applying 4435_grsec-mute-warnings.patch ... [ ok ]
* Applying 4440_grsec-remove-protected-paths.patch ... [ ok ]
* Applying 4450_grsec-kconfig-default-gids.patch ... [ ok ]
* Applying 4465_selinux-avc_audit-log-curr_ip.patch ... [ ok ]
* Applying 4470_disable-compat_vdso.patch ... [ ok ]
Generated by patch_maker.sh script v-0.5
Grabbed on 2013-01-09 10:58:53 EET
From: http://algo.ing.unimo.it/people/paolo/disk_sched/patches/3.7.0-v5r1
* Budget Fair Queueing Budget I/O Scheduler - http://algo.ing.unimo.it/people/paolo/disk_sched/
* Applying 0001-block-cgroups-kconfig-build-bits-for-BFQ-v5r1-3.7.patch ... [ ok ]
* Applying 0002-block-introduce-the-BFQ-v5r1-I-O-sched-for-3.7.patch ... [ ok ]
acpi-ec-add-delay-before-write.patch Oops: ACPI: EC: input buffer is not empty, aborting transaction - 2.6.32 regression https://bugzilla.kernel.org/show_bug.cgi?id=14733#c41
nouveau_therm_alarms-3.7.patch thx ROKO__! from https://gitorious.org/linux-nouveau-pm/linux-nouveau-pm/commits/thermal
3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch fix dvb issues see: http://forum.manjaro.org/index.php?topic=1108.0
3.7.0-fat.patch fix cosmetic fat issue https://bugs.archlinux.org/task/32916
3.7.1-watchdog-fix-disable-enable-regression.patch fix watchdog enable/disable regression https://bugs.archlinux.org/task/33095
kernel-37-gcc47-1.patch.gz Patch source to enable more gcc CPU optimizatons via the make nconfig http://repo-ck.com/source/gcc_patch/kernel-37-gcc47-1.patch.gz
* Fixes for current kernel
* Applying acpi-ec-add-delay-before-write.patch ... [ ok ]
* Applying nouveau_therm_alarms-3.7.patch ... [ ok ]
* Applying 3.7.0-fat.patch ... [ ok ]
* Applying 3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch ... [ ok ]
* Applying 3.7.1-watchdog-fix-disable-enable-regression.patch ... [ ok ]
* Applying kernel-37-gcc47-1.patch.gz ...
* Skipping patch --> kernel-37-gcc47-1.patch.gz [ ok ]
* Set extraversion in Makefile
* Copy current config from /proc
* Cleanup backups after patching
* Compile gen_init_cpio
make: Entering directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
cc -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -Wl,-O1 -Wl,--as-needed -Wl,--warn-once -Wl,--hash-style=gnu gen_init_cpio.c -o gen_init_cpio
make: Leaving directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
* kernel: >> Running oldconfig... ... [ ok ]
* kernel: >> Running modules_prepare... ... [ ok ]
* Live long and prosper.
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source compiled. |
2) GrSecurity+ck
Code: | > USE="ck grsecurity" ebuild geek-sources-3.7.1.ebuild compile
* linux-3.7.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
* patch-3.7.1.xz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
* patch-3.7-ck1.lrz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
>>> Unpacking source...
* Extract the sources ... [ ok ]
* Update to latest upstream ...
* Applying patch-3.7.1.xz ... [ ok ]
>>> Source unpacked in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work
>>> Preparing source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
* Use GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch" from /etc/portage/kernel.conf
Generated by patch_maker.sh script v-0.5
Grabbed on 2013-01-15 12:06:54 EET
url: git://git.overlays.gentoo.org/proj/hardened-patchset.git
local branch: master
tracking branch: refs/heads/master
tracking remote: origin
* GrSecurity patches - http://grsecurity.net http://www.gentoo.org/proj/en/hardened
* Applying 4420_grsecurity-2.9.1-3.7.1-201301041854.patch ... [ ok ]
* Applying 4425_grsec_remove_EI_PAX.patch ... [ ok ]
* Applying 4430_grsec-remove-localversion-grsec.patch ...
* Skipping empty patch --> 4430_grsec-remove-localversion-grsec.patch [ ok ]
* Applying 4435_grsec-mute-warnings.patch ... [ ok ]
* Applying 4440_grsec-remove-protected-paths.patch ... [ ok ]
* Applying 4450_grsec-kconfig-default-gids.patch ... [ ok ]
* Applying 4465_selinux-avc_audit-log-curr_ip.patch ... [ ok ]
* Applying 4470_disable-compat_vdso.patch ... [ ok ]
* Con Kolivas high performance patchset - http://users.on.net/~ckolivas/kernel
* Applying patch-3.7-ck1.lrz ...
* Skipping patch --> patch-3.7-ck1.lrz [ ok ]
acpi-ec-add-delay-before-write.patch Oops: ACPI: EC: input buffer is not empty, aborting transaction - 2.6.32 regression https://bugzilla.kernel.org/show_bug.cgi?id=14733#c41
nouveau_therm_alarms-3.7.patch thx ROKO__! from https://gitorious.org/linux-nouveau-pm/linux-nouveau-pm/commits/thermal
3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch fix dvb issues see: http://forum.manjaro.org/index.php?topic=1108.0
3.7.0-fat.patch fix cosmetic fat issue https://bugs.archlinux.org/task/32916
3.7.1-watchdog-fix-disable-enable-regression.patch fix watchdog enable/disable regression https://bugs.archlinux.org/task/33095
kernel-37-gcc47-1.patch.gz Patch source to enable more gcc CPU optimizatons via the make nconfig http://repo-ck.com/source/gcc_patch/kernel-37-gcc47-1.patch.gz
* Fixes for current kernel
* Applying acpi-ec-add-delay-before-write.patch ... [ ok ]
* Applying nouveau_therm_alarms-3.7.patch ... [ ok ]
* Applying 3.7.0-fat.patch ... [ ok ]
* Applying 3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch ... [ ok ]
* Applying 3.7.1-watchdog-fix-disable-enable-regression.patch ... [ ok ]
* Applying kernel-37-gcc47-1.patch.gz ...
* Skipping patch --> kernel-37-gcc47-1.patch.gz [ ok ]
* Set extraversion in Makefile
* Copy current config from /proc
* Cleanup backups after patching
* Compile gen_init_cpio
make: Entering directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
cc -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -Wl,-O1 -Wl,--as-needed -Wl,--warn-once -Wl,--hash-style=gnu gen_init_cpio.c -o gen_init_cpio
make: Leaving directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'
* kernel: >> Running oldconfig... ... [ ok ]
* kernel: >> Running modules_prepare... ... [ ok ]
* Live long and prosper.
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...
>>> Source compiled. |
|
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Jan 15, 2013 11:12 am Post subject: |
|
|
After you've installed AppArmor:
And look at all the examples in /etc/apparmor.d/ |
|
Back to top |
|
|
188562 Apprentice
Joined: 22 Jun 2008 Posts: 186
|
Posted: Tue Jan 15, 2013 11:12 am Post subject: |
|
|
3) GrSecurity+all
http://pastebin.com/pwDxjNPa
As you can see GrSecurity not compatible only with the CK and uksm. And I have not tried to build or use. |
|
Back to top |
|
|
Veldrin Veteran
Joined: 27 Jul 2004 Posts: 1945 Location: Zurich, Switzerland
|
Posted: Tue Jan 15, 2013 11:33 am Post subject: |
|
|
PaulBredbury wrote: | After you've installed AppArmor:
And look at all the examples in /etc/apparmor.d/ |
I seem to be missing the example profiles.
at least if i emerge apparmor-utils (which pulls in the rest), /etc/apparmor.d is empty.
I unpacked them directly from the tarball, so I can get at least some parts working.
I am lazy, therefore I try to borrow as many parts as possible form apparmor.net and/or ubuntu.
I am getting the following error on booting a kernel with apparmor enabled (3.7.1 + hardened + ck).
Code: | root@belshirash ~ # aa-status
apparmor module is loaded.
You do not have enough privilege to read the profile set.
root@belshirash security # /etc/init.d/apparmor start
* Starting apparmor ...
grep: /proc/modules: No such file or directory
* apparmor compatibility is not present in the kernel [ !! ]
* ERROR: apparmor failed to start |
To be honest, I have not configured much, so I may be, that I have missed some important part. any hint would be nice.
NB: I am running a complete monolithic kernel - module support has been completely disabled!
@init_6: Thanks again for the brief tests.
I guess I have to add another overlay - *sigh*
V. _________________ read the portage output!
If my answer is too concise, ask for an explanation. |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Jan 15, 2013 11:36 am Post subject: |
|
|
When you compile apparmor, use e.g.:
Code: | pushd . &&
cd profiles &&
make &&
make install &&
popd |
Compile firefox with this patch, so the /usr/lib/ dirname doesn't change. |
|
Back to top |
|
|
188562 Apprentice
Joined: 22 Jun 2008 Posts: 186
|
Posted: Tue Jan 15, 2013 11:44 am Post subject: |
|
|
Veldrin wrote: | @init_6: Thanks again for the brief tests.
I guess I have to add another overlay - *sigh* |
If you need GrSecurity with ck then you have to fix yourself GrSecurity or ck… Others overlays will not help |
|
Back to top |
|
|
|