Mailing List Archive: Gentoo: Hardened

Profile switch: convert to hardened

Index | Next | Previous | View Threaded

tom at whyscream

Oct 4, 2010, 7:50 AM

Post #1 of 7 (1228 views)
Permalink

Profile switch: convert to hardened

Hi,

Last week, I ordered a XEN-based VPS with some commercial party with a
gentoo image. The image is (of course) created with the default profile
for amd64 (default/linux/amd64/10.0).

I want to convert the host to hardened (hardened/linux/amd64/10.0
profile), but in the process I noticed all kinds of strange sandbox
errors, and eventually, portage seemed broken beyond repair.
Unfortunately I forgot to c/p the output to somewhere more persistent
than my brain. Among the changes triggered by the profile change, I
noticed a gcc downgrade (sys-devel/gcc-4.4.3-r2 -> sys-devel/gcc-4.3.4),
but I'm not sure where the problems really started.

I started from scratch now (new image), have updated USE flags to my
liking, and am running 'emerge -uDavN world' now, without changing the
profile.

This means that I will have only the changes triggered by the profile
change later on. Are there particular issues that I need to take care
of? And how to deal with the gcc change? I remember that there was some
kind of 'vanilla to hardened' guide, but google is failing me (I did
find some forum threads)...

--
Regards,
Tom

Attachments:

signature.asc (0.26 KB)

kutulu at kutulu

Oct 5, 2010, 7:25 AM

Post #2 of 7 (1204 views)
Permalink

Re: Profile switch: convert to hardened [In reply to]

On 10/4/2010 10:50 AM, Tom Hendrikx wrote:

> This means that I will have only the changes triggered by the profile
> change later on. Are there particular issues that I need to take care
> of? And how to deal with the gcc change? I remember that there was some
> kind of 'vanilla to hardened' guide, but google is failing me (I did
> find some forum threads)...

The closest thing to an "official" guide is the PaX quickstart:

http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml

but the basic idea is just to do this:

# eselect profile set <whatever>
# emerge -1av binutils gcc glibc
# emerge -e world

and then build and install a PaX kernel. (The options have shifted
around some since the guide was written, but you should be able to find
them easily enough.)

As for the gcc downgrade, that shouldn't be happening. I'm using the
normal hardened profile:

hardened/linux/amd64/10.0

and it's giving me gcc-4.4.4-r2 and glibc-2.12.1-r1. Make sure you have
the right profile selected and that they're up to date. (hardened gcc
used to lag behind stock gcc but I thought that was all done with now.)

--Mike

tom at whyscream

Oct 5, 2010, 8:12 AM

Post #3 of 7 (1206 views)
Permalink

Re: Profile switch: convert to hardened [In reply to]

On 05/10/10 16:25, Mike Edenfield wrote:
> On 10/4/2010 10:50 AM, Tom Hendrikx wrote:
>
>> This means that I will have only the changes triggered by the profile
>> change later on. Are there particular issues that I need to take care
>> of? And how to deal with the gcc change? I remember that there was some
>> kind of 'vanilla to hardened' guide, but google is failing me (I did
>> find some forum threads)...
>
> The closest thing to an "official" guide is the PaX quickstart:
>
> http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml

This does not document anything regarding how to convert an vanilla
install to hardened.

>
> but the basic idea is just to do this:
>
> # eselect profile set <whatever>
> # emerge -1av binutils gcc glibc
> # emerge -e world

In the end, I did:

emerge --sync
nano /etc/make.conf # edit USE flags
emerge -uDN world
emerge --depclean
revdep-rebuild
eselect profile set hardened/linux/amd64/10.0
# from here on, I mostly followed gcc upgrade guide
emerge -1 gcc (goes in new slot)
gcc-config x86_64-pc-linux-gnu-4.3.4
emerge -1 libtool
emerge -eav system
emerge -eav world
emerge -Cav <old gcc>

This was succesful.

During the install, it dawned to me that portage wants to remove the
oldest (i.e. lowest version number) of gcc when more than 1 slot is
available. Because the profile change triggered a gcc downgrade, I
removed the hardened gcc that I had freshly built (the one with the
lower version) in stead of the vanilla gcc, without switching the system
gcc. Because of other changes, gcc-config was also broken. After that,
disaster came upon me ;)

Lessons learned: double check versions when removing something.

> As for the gcc downgrade, that shouldn't be happening. I'm using the
> normal hardened profile:
>
> hardened/linux/amd64/10.0
>
> and it's giving me gcc-4.4.4-r2 and glibc-2.12.1-r1. Make sure you have
> the right profile selected and that they're up to date. (hardened gcc
> used to lag behind stock gcc but I thought that was all done with now.)

Just synced, and tested, but both of these packages are arch masked in
hardened amd64 profile, and actually both of them are arch masked
according to packages.gentoo.org. You're running ~arch.

Stable amd64 has gcc-4.4.3-r2, but this version is masked in
/usr/portage/profiles/hardened/package.mask. This triggers the
downgrade, but as said, that should not be destructive when you are careful.

Anyway, thanks for the the heads up :)

--
Regards,
Tom

Attachments:

signature.asc (0.26 KB)

basile at opensource

Oct 5, 2010, 4:43 PM

Post #4 of 7 (1204 views)
Permalink

Re: Profile switch: convert to hardened [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/05/2010 10:25 AM, Mike Edenfield wrote:
> and then build and install a PaX kernel.

Be careful when installing a hardened kernel for a guest under xen. If
your guest is fully virtualized, you shouldn't have any problems. I've
run full virt guests under xen for years now with all important
GRSEC/PaX options, including KERNEXEC and UDEREF.

If its a paravirt guest, then I recommend reading

http://forums.gentoo.org/viewtopic-p-6388313.html

That discussion leads to the conclusion that KERNEXEC causes the guest
to be unbootable. However, I am also suspicious of UDEREF.

If anyone can test all four possibilities for me, KERNEXEC=y/n and
UDEREF=y/n, for a *paravirt* guest and tell me how it goes, I would
appreciate it.

- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyruB4ACgkQl5yvQNBFVTVx9wCfea+x0bTPZqjjx3rV2SomLRvO
CbwAn3WMi5ztHnekb6yvrwPo2e0K0b+7
=ia66
-----END PGP SIGNATURE-----

tom at whyscream

Oct 11, 2010, 10:20 AM

Post #5 of 7 (1193 views)
Permalink

Re: Profile switch: convert to hardened [In reply to]

On 06/10/10 01:43, Anthony G. Basile wrote:
> On 10/05/2010 10:25 AM, Mike Edenfield wrote:
>> and then build and install a PaX kernel.
>
> Be careful when installing a hardened kernel for a guest under xen. If
> your guest is fully virtualized, you shouldn't have any problems. I've
> run full virt guests under xen for years now with all important
> GRSEC/PaX options, including KERNEXEC and UDEREF.
>
> If its a paravirt guest, then I recommend reading
>
> http://forums.gentoo.org/viewtopic-p-6388313.html
>
> That discussion leads to the conclusion that KERNEXEC causes the guest
> to be unbootable. However, I am also suspicious of UDEREF.
>
> If anyone can test all four possibilities for me, KERNEXEC=y/n and
> UDEREF=y/n, for a *paravirt* guest and tell me how it goes, I would
> appreciate it.
>

I updated the kernel in said xen guest over the weekend, and tested some
of this.

- hardened kernel without grsec/pax works as expected

- hardened kernel with grsec profile
CONFIG_GRKERNSEC_HARDENED_SERVER_NO_RBAC=y enables
CONFIG_PAX_KERNEXEC=y, this kernel does not boot

- hardened kernel with grsec profile
CONFIG_GRKERNSEC_HARDENED_SERVER_NO_RBAC=y, then switched to
CONFIG_GRKERNSEC_CUSTOM=y removes CONFIG_PAX_KERNEXEC automatically.
This kernel boots and runs fine. No real load tested so far, so there is
not much to say about performance but it does not feel any slower.

None of the above changes above enabled UDEREF, so this was not tested,
nor can I find it in 'make menuconfig'. This may be due to the fact that
this is a x86_64 host.

--
Regards,
Tom

Attachments:

signature.asc (0.26 KB)

basile at opensource

Oct 11, 2010, 1:06 PM

Post #6 of 7 (1188 views)
Permalink

Re: Profile switch: convert to hardened [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/11/2010 01:20 PM, Tom Hendrikx wrote:
> On 06/10/10 01:43, Anthony G. Basile wrote:
>> On 10/05/2010 10:25 AM, Mike Edenfield wrote:
>>> and then build and install a PaX kernel.
>>
>> Be careful when installing a hardened kernel for a guest under xen. If
>> your guest is fully virtualized, you shouldn't have any problems. I've
>> run full virt guests under xen for years now with all important
>> GRSEC/PaX options, including KERNEXEC and UDEREF.
>>
>> If its a paravirt guest, then I recommend reading
>>
>> http://forums.gentoo.org/viewtopic-p-6388313.html
>>
>> That discussion leads to the conclusion that KERNEXEC causes the guest
>> to be unbootable. However, I am also suspicious of UDEREF.
>>
>> If anyone can test all four possibilities for me, KERNEXEC=y/n and
>> UDEREF=y/n, for a *paravirt* guest and tell me how it goes, I would
>> appreciate it.
>>
>
> I updated the kernel in said xen guest over the weekend, and tested some
> of this.
>
> - hardened kernel without grsec/pax works as expected
>
> - hardened kernel with grsec profile
> CONFIG_GRKERNSEC_HARDENED_SERVER_NO_RBAC=y enables
> CONFIG_PAX_KERNEXEC=y, this kernel does not boot
>
> - hardened kernel with grsec profile
> CONFIG_GRKERNSEC_HARDENED_SERVER_NO_RBAC=y, then switched to
> CONFIG_GRKERNSEC_CUSTOM=y removes CONFIG_PAX_KERNEXEC automatically.
> This kernel boots and runs fine. No real load tested so far, so there is
> not much to say about performance but it does not feel any slower.
>
> None of the above changes above enabled UDEREF, so this was not tested,
> nor can I find it in 'make menuconfig'. This may be due to the fact that
> this is a x86_64 host.
>

Thank you very much for the testing!

The other option is CONFIG_PAX_MEMORY_UDEREF. In menuconfig just hit /
and then type UDEREF and it will show you how to navigate there. If you
can test

CONFIG_PAX_KERNEXEC=n
CONFIG_PAX_MEMORY_UDEREF=y

then we would have a complete picture of what works as a paravirt guest
under xen.

- --
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkyzbjYACgkQl5yvQNBFVTVUiQCfQ9fOzECAkpjsjya2ES4+79BO
tpIAnjKW/BlscLxdomZSbdeWfunMcXFe
=eNVE
-----END PGP SIGNATURE-----

lists at anderedomain

Oct 12, 2010, 7:21 AM

Post #7 of 7 (1177 views)
Permalink

Re: Profile switch: convert to hardened [In reply to]

On Tue, 05 Oct 2010 19:43:26 -0400
"Anthony G. Basile" <basile [at] opensource> wrote:

> If anyone can test all four possibilities for me, KERNEXEC=y/n and
> UDEREF=y/n, for a *paravirt* guest and tell me how it goes, I would
> appreciate it.

I also started to test this on a CentOS 5 Dom0, Gentoo DomU. I must
have triggered some strange bug, because the kernel with KERNEXEC and
UDEREF disabled booted, but rebooting the machine or compiling a kernel
triggered a reboot of the host. I cannot do further tests at the moment
since there are some important VMs on the host.

Philipp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads