Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
2.6.30-zen4 grsecurity patch
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 29, 2009 11:47 am    Post subject: 2.6.30-zen4 grsecurity patch Reply with quote

Hi guys,

for those who'd like to have a feature-rich AND hardened kernel here's the perfect match:

2.6.30-zen4_grsecurity ! :)

DISCLAIMER: I take no responsibility if it burns your computer, calls the SWAT or kills any of your kittens
This patch (on top of 2.6.30-zen4) has been uploaded for your (and my ;) ) convenience.
If you don't trust me, just head over to grsecurity.net and download the official patch by yourself and fix the few rejects :idea:

Quote:
First released: Thu, 08/20/2009 - 23:51
Download: 2.6.30-zen4.patch.lzma
Size: 1.66 MB
md5_file hash: 4758f1fcbfd54c455fc00411058f7ca5
Last updated: Thu, 08/20/2009 - 23:51

- applies over 2.6.30
- multiple new features and fixes added, latest upstream stable, several features updated
- by FAR the most complete and best 2.6.30 release of the zen kernel!

*** 2.6.30-zen4 "Amphlibliganshons" ***
- 2.6.30.5
- cfq drain async i/o patch/fix
- linux-PHC 0.3.2-7
- Add wii/gamecube patches/support
- Reverted zen-tune (confuses people)
- Wii/Gamecube linux patch
- Vanilla DRM
- Fixed "socket" exploit
- fix hrtick handling/enable hrtick
- Updated reiser4
- Added unionfs 2.5.2
- Updated aufs2
- Added atom architecture support
- Add devtmpfs
- Add compcache 0.6
- Totally Updated/new slqb from linux-next (28 commits from linux-next)
- Updated btrfs to latest git


source: www.zen-sources.org

zen ontop of 2.6.30 vanilla patch:
http://omploader.org/vMjhvZw/2.6.30-zen4.patch.lzma (is the same file like on www.zen-sources.org)

size: 1742352
md5sum:
4758f1fcbfd54c455fc00411058f7ca5 2.6.30-zen4.patch.lzma
sha256sum:
20dadd0ca70cba2dbf46e8d9a8c54cf2c8f51018c8f6d96ac80bbcfe6882994f 2.6.30-zen4.patch.lzma


grsecurity ontop of zen patch: (based on grsecurity-patch from www.grsecurity.net)
http://omploader.org/vMjhxNg/grsecurity_2.1.14-2.6.30.5-200908281917-for-zen-2.6.30-zen4.patch.tbz2

size (of the patch): 3263325
md5sum:
6baa8da006139d25de129503e3456e9f grsecurity_2.1.14-2.6.30.5-200908281917-for-zen-2.6.30-zen4.patch
sha256sum:
4dc08428d5f8f0abe70e698b2c3bb016a42430244d6c1cfee12ca5cedbc58324 grsecurity_2.1.14-2.6.30.5-200908281917-for-zen-2.6.30-zen4.patch

size (of the tbz2 file): 570045
md5sum:
314e9e38c4204bfb99711c6d9b2db647 grsecurity_2.1.14-2.6.30.5-200908281917-for-zen-2.6.30-zen4.patch.tbz2
sha256sum:
b67a8c069726d849249e8b8a53423819dba93044c7741209bbcd65df10a65d71 grsecurity_2.1.14-2.6.30.5-200908281917-for-zen-2.6.30-zen4.patch.tbz2

For your information:
only the following 3 files were manually altered in addition to the grsecurity-patch:
Quote:
1 out of 3 hunks FAILED -- saving rejects to file arch/x86/Kconfig.cpu.rej
1 out of 3 hunks FAILED -- saving rejects to file init/do_mounts.c.rej
1 out of 3 hunks FAILED -- saving rejects to file init/Kconfig.rej



FAQ:
Q: what is this kernel's purpose ?
A: it's for those users who want to run zen-kernels (bleeding edge, feature-rich and fast) and still have a more hardened system than usual

Q: this enhanced security doesn't come for free, right ?
A: Yes. Ideally you should have compiled everything with PIC and PIE. In former times this was done by changing your system-profile to the hardened-profiles, today with a recent enough toolchain your system and everything already (afaik) should be compiled with the latter via transparent specs included in your GCC compiler e.g. when
Code:
gcc -v
is saying:
Quote:
Using built-in specs. ... Thread model: posix
gcc version 4.3.4 (Gentoo Hardened 4.3.4-r1 p1.0, espf-0.3.2)
. When not running a security-enhanced system this generally defeats the purpose of grsecurity (especially PaX which makes broad use of PIE-features in order to randomly "put" it into your system memory and therefore making it difficult to inject or attach anything to those apps running). grsecurity's RSBAC and other stuff nevertheless can still be quite useful e.g. when securing your running processes or your system against getting out of a chroot. The performance overhead is usually between 3 to 10% or more depending on the options you choose and how powerful your system is.

Q: anything to consider before booting and start using the kernel ?
A: Yes. When using PaX first start using the kernel in pax_softmode=1, see what is broken and "fix" it (change security options) via chpax and paxctl which are in the portage tree. Most security-option affecting apps is mprotect(). In this mode you can also enjoy running your security-enhanced box with 3D-acceleration of ati-drivers, nvidia-drivers (if the "bug"/incompatibility with PIE and newer drivers is "fixed" again) or opensource drivers


Resources:
* Introduction to Hardened Gentoo
* Gentoo Grsecurity v2 Guide
* wikibooks: Grsecurity, Additional Utilities

Acknowledgement:
* kudos to www.zen-sources.org for 2.6.30-zen4
* kudos to Brad Spengler from www.grsecurity.net and the PaX Team at http://pax.grsecurity.net/ for grsecurity, PaX, RSBAC, etc.


update2:

FIXME:
post link to newer (working ?) grsecurity-patch ontop of 2.6.30-zen4
done.

update3:

added a pretty superficial FAQ
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D


Last edited by kernelOfTruth on Sat Aug 29, 2009 5:33 pm; edited 8 times in total
Back to top
View user's profile Send private message
tranquilcool
Veteran
Veteran


Joined: 25 Mar 2005
Posts: 1159

PostPosted: Sat Aug 29, 2009 3:34 pm    Post subject: Reply with quote

arch/x86/kernel/built-in.o: In function `sys_modify_ldt':
(.text+0x5d47): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `restore_i387_fxsave':
i387.c:(.text+0xb6a5): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `save_i387_fxsave':
i387.c:(.text+0xb7be): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `fpregs_set':
(.text+0xbf7b): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `fpregs_set':
(.text+0xbfc1): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o:(.text+0xc166): more undefined references to `check_object_size' follow
make: *** [vmlinux] Error 1

spits out these errors and doesn't build.
any help?
_________________
this is a strange strange world.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 29, 2009 3:35 pm    Post subject: Reply with quote

tranquilcool wrote:
arch/x86/kernel/built-in.o: In function `sys_modify_ldt':
(.text+0x5d47): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `restore_i387_fxsave':
i387.c:(.text+0xb6a5): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `save_i387_fxsave':
i387.c:(.text+0xb7be): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `fpregs_set':
(.text+0xbf7b): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o: In function `fpregs_set':
(.text+0xbfc1): undefined reference to `check_object_size'
arch/x86/kernel/built-in.o:(.text+0xc166): more undefined references to `check_object_size' follow
make: *** [vmlinux] Error 1

spits out these errors and doesn't build.
any help?


did the patch apply cleanly without rejects ? :(

I'll see if I can reproduce it ...

could you check your sections in .config against mine ?
Quote:
#
# Security options
#

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_MODSTOP=y
# CONFIG_GRKERNSEC_MODHARDEN is not set
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
# CONFIG_GRKERNSEC_NO_RBAC is not set
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
# CONFIG_GRKERNSEC_LINK is not set
# CONFIG_GRKERNSEC_FIFO is not set
CONFIG_GRKERNSEC_CHROOT=y
# CONFIG_GRKERNSEC_CHROOT_MOUNT is not set
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
# CONFIG_GRKERNSEC_TIME is not set
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
# CONFIG_GRKERNSEC_EXECVE is not set
# CONFIG_GRKERNSEC_DMESG is not set
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_BLACKHOLE=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_NOELFRELOCS is not set
# CONFIG_PAX_KERNEXEC is not set

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

#
# Miscellaneous hardening features
#
CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_USERCOPY=y
# CONFIG_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_PATH is not set
# CONFIG_SECURITY_FILE_CAPABILITIES is not set
# CONFIG_SECURITY_ROOTPLUG is not set
# CONFIG_SECURITY_TOMOYO is not set
# CONFIG_IMA is not set
CONFIG_XOR_BLOCKS=y
CONFIG_ASYNC_CORE=y
CONFIG_ASYNC_MEMCPY=y
CONFIG_ASYNC_XOR=y
CONFIG_CRYPTO=y


edit:

ok hold on - I think I know what went wrong ...

*fixing right now*
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 29, 2009 5:04 pm    Post subject: Reply with quote

new patch was uploaded

please try (currently running it and posting from it)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
tranquilcool
Veteran
Veteran


Joined: 25 Mar 2005
Posts: 1159

PostPosted: Sat Aug 29, 2009 5:40 pm    Post subject: Reply with quote

kernelOfTruth wrote:
new patch was uploaded

please try (currently running it and posting from it)


same errors with new patch and your config.
_________________
this is a strange strange world.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 29, 2009 5:49 pm    Post subject: Reply with quote

tranquilcool wrote:
kernelOfTruth wrote:
new patch was uploaded

please try (currently running it and posting from it)


same errors with new patch and your config.


you by chance are using full preemption ?

try using
Quote:
Voluntary Kernel Preemption (Desktop)


here's my kernel-config:
http://pastebin.com/mbfd4205 (that link is valid from today on for a month)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
tranquilcool
Veteran
Veteran


Joined: 25 Mar 2005
Posts: 1159

PostPosted: Sat Aug 29, 2009 8:20 pm    Post subject: Reply with quote

kernelOfTruth wrote:
tranquilcool wrote:
kernelOfTruth wrote:
new patch was uploaded

please try (currently running it and posting from it)


same errors with new patch and your config.


you by chance are using full preemption ?

try using
Quote:
Voluntary Kernel Preemption (Desktop)


here's my kernel-config:
http://pastebin.com/mbfd4205 (that link is valid from today on for a month)


was using low latency preempt but result is same even with voluntary preempt.
am going to look through your config and let your know if it builds. am on x32 not x64 bits.


EDIT: CONFIG_SLQB_ALLOCATOR was the culprit. it builds with SLUB.

thanks.
_________________
this is a strange strange world.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6108
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Aug 29, 2009 9:35 pm    Post subject: Reply with quote

tranquilcool wrote:
kernelOfTruth wrote:
tranquilcool wrote:
kernelOfTruth wrote:
new patch was uploaded

please try (currently running it and posting from it)


same errors with new patch and your config.


you by chance are using full preemption ?

try using
Quote:
Voluntary Kernel Preemption (Desktop)


here's my kernel-config:
http://pastebin.com/mbfd4205 (that link is valid from today on for a month)


was using low latency preempt but result is same even with voluntary preempt.
am going to look through your config and let your know if it builds. am on x32 not x64 bits.


EDIT: CONFIG_SLQB_ALLOCATOR was the culprit. it builds with SLUB.

thanks.


glad it works for you :)

sorry - I forgot to mention that "exotic" stuff like not-yet integrated slab allocators or other features not in Linus' tree are not being patched by grsecurity (I've also not altered those since I don't / can't use them with the "stupid" fglrx driver :wink: )

most of those should work (e.g. reiser4 which I'm amongst others currently using for / (root) and /usr/portage) but also might fail (e.g. ramzswap + compcache <-- haven't tested that yet but I'm pretty sure that it is prone to fail when most of the grsecurity and PaX stuff is enabled)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
tranquilcool
Veteran
Veteran


Joined: 25 Mar 2005
Posts: 1159

PostPosted: Sun Aug 30, 2009 8:10 am    Post subject: Reply with quote

thanks. now i am going to play with for some.
i have not played with grsecurity much so this is a good chance
to do that.
_________________
this is a strange strange world.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum