FS#40626 - [linux-grsec] Enabling additional flags

Attached to Project: Community Packages
Opened by Alexander Kaufman (akaufman) - Saturday, 31 May 2014, 19:02 GMT
Last edited by Daniel Micay (thestinger) - Sunday, 01 June 2014, 06:05 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Daniel Micay (thestinger)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

This is a request to enable the following flags in grsec.
I recompiled my kernel with them enabled without any obvious breakage or slowing down:

CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y
CONFIG_PAX_CONSTIFY_PLUGIN=y

CONFIG_GRKERNSEC_VM86=y
CONFIG_GRKERNSEC_RANDSTRUCT=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
This task depends upon

Closed by  Daniel Micay (thestinger)
Sunday, 01 June 2014, 06:05 GMT
Reason for closing:  Won't implement
Comment by Daniel Micay (thestinger) - Sunday, 01 June 2014, 06:05 GMT
There is a good reason behind the current set of selected options. The rationale is documented on the wiki:

https://wiki.archlinux.org/index.php/DeveloperWiki:Security#kernel

> CONFIG_PAX_MEMORY_SANITIZE=y

This could be enabled, but it has a high performance cost.

> CONFIG_PAX_MEMORY_UDEREF=y

This is enabled on i686 where it is cheap, but it has a high performance cost on x86_64 and I am not currently enabling it for that reason.

> CONFIG_PAX_CONSTIFY_PLUGIN=y

I don't think this does anything. You need to example KERNEXEC in order to use the CONSTIFY plugin, and that requires disabling CONFIG_XEN. I am not sure that I want to do that, and the kernel did not boot when I tried this.

> CONFIG_GRKERNSEC_VM86=y

This is already enabled on x86 and does not exist on x86_64.

> CONFIG_GRKERNSEC_RANDSTRUCT=y

There's no security offered by this option with a pre-built kernel, and it has significant performance overhead if not enabling the PERFORMANCE option too.

> CONFIG_GRKERNSEC_PROC=y
> CONFIG_GRKERNSEC_PROC_USER=y
> CONFIG_GRKERNSEC_PROC_ADD=y

These cause a significant amount of breakage and cannot be disable via a sysctl flag. It's unacceptable for a general purpose kernel in the repositories. Luckily, there's a hidepid mount option for /proc providing an almost identical feature. By mounting /proc with hidepid=1/hidepid=2 you pretty much get the same benefits, but the key part is that it's optional. Among other things, GRKERNSEC_PROC=y or hidepid=2 completely breaks containers, which is itself a significant security feature.

> CONFIG_GRKERNSEC_LINK=y
> CONFIG_GRKERNSEC_DMESG=y

As documented on the wiki, both of these features are upstream and the grsecurity-specific features aren't necessary.

> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y

This also causes a huge amount of breakage and has no sysctl flag to turn it off. If it ever becomes an option at runtime via sysctl I will enable it.

> CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y

This seems to be part of the automatic configuration selection, which isn't being used.

Loading...