Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#40626 - [linux-grsec] Enabling additional flags
Attached to Project:
Community Packages
Opened by Alexander Kaufman (akaufman) - Saturday, 31 May 2014, 19:02 GMT
Last edited by Daniel Micay (thestinger) - Sunday, 01 June 2014, 06:05 GMT
Opened by Alexander Kaufman (akaufman) - Saturday, 31 May 2014, 19:02 GMT
Last edited by Daniel Micay (thestinger) - Sunday, 01 June 2014, 06:05 GMT
|
DetailsThis is a request to enable the following flags in grsec.
I recompiled my kernel with them enabled without any obvious breakage or slowing down: CONFIG_PAX_MEMORY_SANITIZE=y CONFIG_PAX_MEMORY_UDEREF=y CONFIG_PAX_CONSTIFY_PLUGIN=y CONFIG_GRKERNSEC_VM86=y CONFIG_GRKERNSEC_RANDSTRUCT=y CONFIG_GRKERNSEC_PROC=y CONFIG_GRKERNSEC_PROC_USER=y CONFIG_GRKERNSEC_PROC_ADD=y CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_SYSFS_RESTRICT=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y |
This task depends upon
Closed by Daniel Micay (thestinger)
Sunday, 01 June 2014, 06:05 GMT
Reason for closing: Won't implement
Sunday, 01 June 2014, 06:05 GMT
Reason for closing: Won't implement
https://wiki.archlinux.org/index.php/DeveloperWiki:Security#kernel
> CONFIG_PAX_MEMORY_SANITIZE=y
This could be enabled, but it has a high performance cost.
> CONFIG_PAX_MEMORY_UDEREF=y
This is enabled on i686 where it is cheap, but it has a high performance cost on x86_64 and I am not currently enabling it for that reason.
> CONFIG_PAX_CONSTIFY_PLUGIN=y
I don't think this does anything. You need to example KERNEXEC in order to use the CONSTIFY plugin, and that requires disabling CONFIG_XEN. I am not sure that I want to do that, and the kernel did not boot when I tried this.
> CONFIG_GRKERNSEC_VM86=y
This is already enabled on x86 and does not exist on x86_64.
> CONFIG_GRKERNSEC_RANDSTRUCT=y
There's no security offered by this option with a pre-built kernel, and it has significant performance overhead if not enabling the PERFORMANCE option too.
> CONFIG_GRKERNSEC_PROC=y
> CONFIG_GRKERNSEC_PROC_USER=y
> CONFIG_GRKERNSEC_PROC_ADD=y
These cause a significant amount of breakage and cannot be disable via a sysctl flag. It's unacceptable for a general purpose kernel in the repositories. Luckily, there's a hidepid mount option for /proc providing an almost identical feature. By mounting /proc with hidepid=1/hidepid=2 you pretty much get the same benefits, but the key part is that it's optional. Among other things, GRKERNSEC_PROC=y or hidepid=2 completely breaks containers, which is itself a significant security feature.
> CONFIG_GRKERNSEC_LINK=y
> CONFIG_GRKERNSEC_DMESG=y
As documented on the wiki, both of these features are upstream and the grsecurity-specific features aren't necessary.
> CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
This also causes a huge amount of breakage and has no sysctl flag to turn it off. If it ever becomes an option at runtime via sysctl I will enable it.
> CONFIG_GRKERNSEC_CONFIG_VIRT_EPT=y
This seems to be part of the automatic configuration selection, which isn't being used.