[Nix-dev] Fwd: Hardened Linux kernel with grsec/PaX + AppArmor

Wed Aug 7 15:54:20 CEST 2013

Hi Ricardo,

It has been some time I've looked into these security-hardening
systems, but I was under the impression that grsecurity, selinux and
apparmor were somewhat competative solutions for the same problems.

I know there are some differences (path-based vs inode based) and that
grsecurity provides a bunch of generic improvements (process hiding
for example) too.

However, I've never heard of combining grsec with apparmor.
Why would one do that?

On Wed, Aug 7, 2013 at 2:59 PM, Ricardo M. Correia <rcorreia at wizy.org> wrote:
> Hi,
>
> I'm attaching a simple patch that allows you to use a kernel with
> grsecurity, PaX and AppArmor enabled, just in case it's useful to anyone.
>
> It requires the following changes to be applied first:
> https://github.com/NixOS/nixpkgs/pull/802
>
> I am not sending a pull request for this new kernel directly because it
> needs further work to allow customization of the grsec kernel config options
> from /etc/nixos/configuration.nix and I don't have time to investigate how
> to do that right now.
>
> In particular, you need to specify whether the machine is a server or a
> desktop; whether it's running as a VM guest, host or simply on bare metal;
> whether hardware or software virtualization is being used and whether you
> prefer more security or more performance.
>
> You can accomplish that by changing the GRKERNSEC_CONFIG_* options which you
> can see in the patch (I enabled the ones I personally use).
>
> You can find a reference for these options here:
> https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Configuration_Method
>
> In order to use the new kernel and features, you also need to add
> "boot.kernelPackages = pkgs.linuxPackages_3_2_hardened;" and
> "security.apparmor.enable = true;" to your configuration.
>
> You may also need to create AppArmor profiles for the programs you are
> interested in confining.
>
> If you are doing chroot builds and running the new kernel, package
> installation may fail due to "chmod +s" protection (apparently it can be
> used to break out of the chroot).
>
> As a quick workaround, you can disable this protection temporarily during
> package installation:
> # sysctl -w kernel.grsecurity.chroot_deny_chmod=0
> You should probably re-enable it afterwards. I'm sure there are better ways
> to do this, though.
>
> To make sure the kernel has been properly installed and is running, I
> suggest running "dmesg" as a normal user: it should fail with "operation not
> permitted".
>
> I hope this is useful to someone.
>
> PS: you can re-enable the following kernel config options, but you will lose
> the corresponding security features:
>
> Xen support -> disables "Prevent invalid userland pointer dereference"
> (MEMORY_UDEREF)
> Hibernation -> disables "Sanitize all freed memory" (MEMORY_SANITIZE)
>
> Thanks,
> Ricardo
>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>