[Nix-dev] Fwd: Hardened Linux kernel with grsec/PaX + AppArmor

Ricardo M. Correia rcorreia at wizy.org
Wed Aug 7 16:56:05 CEST 2013


I am interested in grsecurity mostly because of the many generic
improvements that you mentioned.

The reason I'm using Apparmor for process confinement is that NixOS
supports it already. In the near future I would like to use grsec's RBAC
system instead of Apparmor, as it seems just as simple but more secure.

But since Apparmor already worked and the grsecurity kernel patch includes
the apparmor patches, I did not feel the urgency to replace Apparmor with
RBAC right now.

Thanks,
Ricardo
 On Aug 7, 2013 3:54 PM, "Mathijs Kwik" <mathijs at bluescreen303.nl> wrote:

Hi Ricardo,

It has been some time I've looked into these security-hardening
systems, but I was under the impression that grsecurity, selinux and
apparmor were somewhat competative solutions for the same problems.

I know there are some differences (path-based vs inode based) and that
grsecurity provides a bunch of generic improvements (process hiding
for example) too.

However, I've never heard of combining grsec with apparmor.
Why would one do that?



On Wed, Aug 7, 2013 at 2:59 PM, Ricardo M. Correia <rcorreia at wizy.org>
wrote:
> Hi,
>
> I'm attaching a simple patch that allows you to use a kernel with
> grsecurity, PaX and AppArmor enabled, just in case it's useful to anyone.
>
> It requires the following changes to be applied first:
> https://github.com/NixOS/nixpkgs/pull/802
>
> I am not sending a pull request for this new kernel directly because it
> needs further work to allow customization of the grsec kernel config
options
> from /etc/nixos/configuration.nix and I don't have time to investigate how
> to do that right now.
>
> In particular, you need to specify whether the machine is a server or a
> desktop; whether it's running as a VM guest, host or simply on bare metal;
> whether hardware or software virtualization is being used and whether you
> prefer more security or more performance.
>
> You can accomplish that by changing the GRKERNSEC_CONFIG_* options which
you
> can see in the patch (I enabled the ones I personally use).
>
> You can find a reference for these options here:
>
https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Configuration_Method
>
> In order to use the new kernel and features, you also need to add
> "boot.kernelPackages = pkgs.linuxPackages_3_2_hardened;" and
> "security.apparmor.enable = true;" to your configuration.
>
> You may also need to create AppArmor profiles for the programs you are
> interested in confining.
>
> If you are doing chroot builds and running the new kernel, package
> installation may fail due to "chmod +s" protection (apparently it can be
> used to break out of the chroot).
>
> As a quick workaround, you can disable this protection temporarily during
> package installation:
> # sysctl -w kernel.grsecurity.chroot_deny_chmod=0
> You should probably re-enable it afterwards. I'm sure there are better
ways
> to do this, though.
>
> To make sure the kernel has been properly installed and is running, I
> suggest running "dmesg" as a normal user: it should fail with "operation
not
> permitted".
>
> I hope this is useful to someone.
>
> PS: you can re-enable the following kernel config options, but you will
lose
> the corresponding security features:
>
> Xen support -> disables "Prevent invalid userland pointer dereference"
> (MEMORY_UDEREF)
> Hibernation -> disables "Sanitize all freed memory" (MEMORY_SANITIZE)
>
> Thanks,
> Ricardo
>
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20130807/353ba899/attachment-0001.html 


More information about the nix-dev mailing list