Mailing List Archive: Gentoo: Hardened

virtualization with gentoo hardened

Index | Next | Previous | View Threaded

yiannis at tolises

Aug 8, 2009, 11:35 AM

Post #1 of 16 (2613 views)
Permalink

virtualization with gentoo hardened

Hello,

I am running hardened gentoo with the toolchain provided by the
xake-toolchain overlay. I am looking for a way to use virtualization
with my current config. I am aware of linux-vserver project which has
grsecurity integration, but as far as I remember does not play well
with rbac. Anyone that has a similar working config?

Regards

Yiannis

basile at opensource

Aug 8, 2009, 11:39 AM

Post #2 of 16 (2546 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

Attachments:

signature.asc (0.25 KB)

yiannis at tolises

Aug 8, 2009, 11:55 AM

Post #3 of 16 (2547 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Sat, 08 Aug 2009 14:39:54 -0400
basile <basile [at] opensource> wrote:

> Yiannis wrote:
> > Hello,
> >
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
> >
> > Regards
> >
> > Yiannis
> >
> I run both i686 and amd64 as xen guests with the xake-toolchain
> overlay and kernel hardened with grsec. Is this what you want?
>

If host's kernel is hardened then yes this is the case. Are you running
pax+grsec in both host and guest os?

michael at orlitzky

Aug 8, 2009, 12:28 PM

Post #4 of 16 (2544 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

yiannis at tolises

Aug 8, 2009, 3:01 PM

Post #5 of 16 (2541 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Sat, 08 Aug 2009 15:28:10 -0400
Michael Orlitzky <michael [at] orlitzky> wrote:

> Yiannis wrote:
> > Hello,
> >
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
>
> I'm using KVM here under a similar setup with few issues.
> Occasionally the modules that ship with KVM will get out of sync with
> the ones provided by the hardened kernel, but that hasn't caused me
> any trouble in a while. And you can always use the modules that ship
> with KVM.

kvm is not for me since I am running gentoo on a via vb7001 and on older
intel hardware without vt support.

basile at opensource

Aug 9, 2009, 12:25 PM

Post #6 of 16 (2540 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Sat, 2009-08-08 at 21:55 +0300, Yiannis wrote:
> On Sat, 08 Aug 2009 14:39:54 -0400
> basile <basile [at] opensource> wrote:
>
> > Yiannis wrote:
> > > Hello,
> > >
> > > I am running hardened gentoo with the toolchain provided by the
> > > xake-toolchain overlay. I am looking for a way to use virtualization
> > > with my current config. I am aware of linux-vserver project which
> > > has grsecurity integration, but as far as I remember does not play
> > > well with rbac. Anyone that has a similar working config?
> > >
> > > Regards
> > >
> > > Yiannis
> > >
> > I run both i686 and amd64 as xen guests with the xake-toolchain
> > overlay and kernel hardened with grsec. Is this what you want?
> >
>
> If host's kernel is hardened then yes this is the case. Are you running
> pax+grsec in both host and guest os?

No sorry, neither the kernel nor toolchain of the host are hardened.
I've never tried to harden a xen host, and I'm not sure what the issues
would be.

yiannis at tolises

Aug 9, 2009, 12:59 PM

Post #7 of 16 (2540 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Sun, 09 Aug 2009 15:25:01 -0400
basile <basile [at] opensource> wrote:

> On Sat, 2009-08-08 at 21:55 +0300, Yiannis wrote:
> > On Sat, 08 Aug 2009 14:39:54 -0400
> > basile <basile [at] opensource> wrote:
> >
> > > Yiannis wrote:
> > > > Hello,
> > > >
> > > > I am running hardened gentoo with the toolchain provided by the
> > > > xake-toolchain overlay. I am looking for a way to use
> > > > virtualization with my current config. I am aware of
> > > > linux-vserver project which has grsecurity integration, but as
> > > > far as I remember does not play well with rbac. Anyone that has
> > > > a similar working config?
> > > >
> > > > Regards
> > > >
> > > > Yiannis
> > > >
> > > I run both i686 and amd64 as xen guests with the xake-toolchain
> > > overlay and kernel hardened with grsec. Is this what you want?
> > >
> >
> > If host's kernel is hardened then yes this is the case. Are you
> > running pax+grsec in both host and guest os?
>
> No sorry, neither the kernel nor toolchain of the host are hardened.
> I've never tried to harden a xen host, and I'm not sure what the
> issues would be.
>
>

So, if I get it right you are using xen-sources as a
host and hardened-sources(pax+grsec) on guest. If it is the case do you
know if it is possible to run this setup on a machine without vmx?
I see that all the ebuilds from the main tree are masked. Are you using
xen-sources from the overlay?
How secure is this setup considered? I mean having
the host os(xen-souces) only for running some instances of
hardened-gentoo as guests is it the same(almost?) as running them on
seperate physical pc's?

p.labushev at gmail

Aug 9, 2009, 2:21 PM

Post #8 of 16 (2547 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

> kvm is not for me since I am running gentoo on a via vb7001 and on older
> intel hardware without vt support.

VMware Server 1.x should work on x86 host without KERNEXEC. At least
worked for me before I switched to KVM after 2.6.28.

p.labushev at gmail

Aug 9, 2009, 2:36 PM

Post #9 of 16 (2542 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

> How secure is this setup considered? I mean having
> the host os(xen-souces) only for running some instances of
> hardened-gentoo as guests is it the same(almost?) as running them on
> seperate physical pc's?

No, it's not the same and not almost the same. There were
vulnerabilities found in Xen already, and nobody can guarantee there are
no more of them.

yiannis at tolises

Aug 9, 2009, 3:58 PM

Post #10 of 16 (2546 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Sat, 08 Aug 2009 15:28:10 -0400
Michael Orlitzky <michael [at] orlitzky> wrote:

> Yiannis wrote:
> > Hello,
> >
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
>
> I'm using KVM here under a similar setup with few issues.
> Occasionally the modules that ship with KVM will get out of sync with
> the ones provided by the hardened kernel, but that hasn't caused me
> any trouble in a while. And you can always use the modules that ship
> with KVM.

Can you plz elaborate on your setup? Is host & guest os
both using grsec+pax? Are you using the xake-toolchain? Any
drawbacks? This seems (to me) that is the most secure solution, and
maybe I should consider upgrading my pc.

aoz.syn at gmail

Aug 9, 2009, 7:52 PM

Post #11 of 16 (2544 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Sun, Aug 9, 2009 at 16:58, Yiannis<yiannis [at] tolises> wrote:
> Can you plz elaborate on your setup? Is host & guest os
> both using grsec+pax? Are you using the xake-toolchain? Any
> drawbacks? This seems (to me) that is the most secure solution, and
> maybe I should consider upgrading my pc.

I use this setup too, and there isn't much to elaborate on -
xake-toolchain, host is running grsec+pax, and I'm running various
guests (hardened thru OS X). Having recently gone from a P-III setup
to a Phenom myself, it's completely worth it. I've had a few
inexplicable guest crashes, but that's more probably due to running on
the bleeding edge than anything.

michael at orlitzky

Aug 9, 2009, 10:34 PM

Post #12 of 16 (2535 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

Yiannis wrote:
> On Sat, 08 Aug 2009 15:28:10 -0400
> Michael Orlitzky <michael [at] orlitzky> wrote:
>
>> Yiannis wrote:
>>> Hello,
>>>
>>> I am running hardened gentoo with the toolchain provided by the
>>> xake-toolchain overlay. I am looking for a way to use virtualization
>>> with my current config. I am aware of linux-vserver project which
>>> has grsecurity integration, but as far as I remember does not play
>>> well with rbac. Anyone that has a similar working config?
>> I'm using KVM here under a similar setup with few issues.
>> Occasionally the modules that ship with KVM will get out of sync with
>> the ones provided by the hardened kernel, but that hasn't caused me
>> any trouble in a while. And you can always use the modules that ship
>> with KVM.
>
> Can you plz elaborate on your setup? Is host & guest os
> both using grsec+pax? Are you using the xake-toolchain? Any
> drawbacks? This seems (to me) that is the most secure solution, and
> maybe I should consider upgrading my pc.
>

My hosts (mostly development machines, and a couple of servers) are all
using grsec/PAX. The guests vary, but I do keep several hardened server
images around for testing purposes which seem to work just as well as if
they were running on bare metal.

The development machines all use the Xake toolchain, although I've never
tried it in a guest. I don't imagine it would make much difference.

The management tools for KVM are fairly spartan -- I suppose that could
be either a pro or a con. Personally, I just need to be able to create
images, snapshot them, and run them. KVM does that well, and doesn't
require me to jump through hoops to do it (e.g. running a web server for
the user interface).

lists at wildgooses

Aug 11, 2009, 8:55 AM

Post #13 of 16 (2535 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

Yiannis wrote:
> Hello,
>
> I am running hardened gentoo with the toolchain provided by the
> xake-toolchain overlay. I am looking for a way to use virtualization
> with my current config. I am aware of linux-vserver project which has
> grsecurity integration, but as far as I remember does not play well
> with rbac. Anyone that has a similar working config?
>

I use hardened host (2.6.29) with vserver. Under this I run hardened
guests. All of these are old style hardened (gcc 3.4.6, not the new
gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on
gcc4.4.1 + hardened, so I think it's about time we had a push to try and
get the hardened profile to shuffle along a bit...)

I am not currently using the RBAC features of grsec, but I don't
immediately see a reason why they wouldn't work.... I guess it's
possible they would need to be implemented in the host rather than the
guest (which would feel a bit wierd), but it should still work I guess...

All other hardenings seem to work as advertised and generally speaking
vserver is a nice lightweight, pseudo virtualisation which is often good
enough for your needs... It's really just a slightly more fancy chroot
system with some scripts around it and some additional hardening (and
all the associated limitations). Xen, etc are the way you want to go if
you need full isolation. However, vserver allows you to more neatly
overcommit machine resources and has a number of other advantages

Good luck

Ed W

yiannis at tolises

Aug 11, 2009, 9:50 AM

Post #14 of 16 (2542 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

On Tue, 11 Aug 2009 16:55:18 +0100
Ed W <lists [at] wildgooses> wrote:

> Yiannis wrote:
> > Hello,
> >
> > I am running hardened gentoo with the toolchain provided by the
> > xake-toolchain overlay. I am looking for a way to use virtualization
> > with my current config. I am aware of linux-vserver project which
> > has grsecurity integration, but as far as I remember does not play
> > well with rbac. Anyone that has a similar working config?
> >
>
> I use hardened host (2.6.29) with vserver. Under this I run hardened
> guests. All of these are old style hardened (gcc 3.4.6, not the new
> gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on
> gcc4.4.1 + hardened, so I think it's about time we had a push to try
> and get the hardened profile to shuffle along a bit...)
>
> I am not currently using the RBAC features of grsec, but I don't
> immediately see a reason why they wouldn't work.... I guess it's
> possible they would need to be implemented in the host rather than
> the guest (which would feel a bit wierd), but it should still work I
> guess...
>
> All other hardenings seem to work as advertised and generally
> speaking vserver is a nice lightweight, pseudo virtualisation which
> is often good enough for your needs... It's really just a slightly
> more fancy chroot system with some scripts around it and some
> additional hardening (and all the associated limitations). Xen, etc
> are the way you want to go if you need full isolation. However,
> vserver allows you to more neatly overcommit machine resources and
> has a number of other advantages
>
> Good luck
>
> Ed W

Hello Ed,

I used to have a box with the same setup as yours. As far as I remember
I had some difficulties on applying policies on guests from host. I
think I have seen an old patch on linux-vserver.org site for gradm
providing this functionality but it was posted some years ago.
It was abandoned and at a primitive state so I didn't bother trying it.
The past two days I have been trying out lguest(with no luck yet) as an
alternative to kvm, since my pc's are not vt-x capable. The reason that
I prefer lguest(if it finally works) and kvm is that they are both in
mainline kernel, let alone the full isolation that you mentioned. While
googling a bit I read an article on ibm's site about linux containers
(LXC) which is supposed to finally land on the kernel. I think that this
might be worth trying as opposed to linux-vserver.

p.labushev at gmail

Aug 11, 2009, 2:30 PM

Post #15 of 16 (2529 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

Yiannis пишет:

> (LXC) which is supposed to finally land on the kernel. I think that this
> might be worth trying as opposed to linux-vserver.

Unfortunately, Grsecurity's RBAC does not support per-cgroup role
assignment, the roles are all system-wide. So don't expect much from
RBAC with LXC.

lists at wildgooses

Aug 13, 2009, 3:58 AM

Post #16 of 16 (2531 views)
Permalink

Re: virtualization with gentoo hardened [In reply to]

Yiannis wrote:
> While
> googling a bit I read an article on ibm's site about linux containers
> (LXC) which is supposed to finally land on the kernel. I think that this
> might be worth trying as opposed to linux-vserver.
>
>

I don't really know all the in's and out's of this argument, but I would
desire to have vserver push to integrate stuff upstream, but the main
developer seems happy with the status quo and has had many knock backs
previously. As you point out, independently a bunch of people seem to
be implementing substantially the same functionality, but without the
prior history... Shame we can't avoid the duplication of work here...

(One quite interesting patch included in the vserver kernel is a COW
implementation of hardlink breaking. This is interesting for a class of
problems such as rsync style backups, or obviously for any kind of
duplicated shared pools of files. I would have thought this was an
interesting feature to push upstream on it's own, but just to bring it
to your attention in case it's useful for something else?)

Anyway, vserver is also a fairly developed wrapper around the
containers, so hopefully any new stuff will absorbed into that project
and gradually it's patch will become smaller, but it really is a
terrific solution to a whole class of problems

Good luck

Ed W

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads