Mailing List Archive: Gentoo: Hardened

Testing needed

Index | Next | Previous | View Threaded

blueness at gentoo

Dec 8, 2010, 8:37 PM

Post #1 of 14 (969 views)
Permalink

Testing needed

Hi everyone,

I need to fast track stabilize hardened-sources-2.6.32-r30 and
hardened-sources-2.6.36-r5 because of a local root exploit on all
earlier kernels. The ebuilds just hit the tree.

Can I get feedback on how those kernels fair on x86 and amd64 arches? I
don't want to introduce new bugs that can be avoided. I hope to mark
them stable in about one week.

Thanks.

--
Anthony G. Basile, Ph.D.
Gentoo Developer

dev-random at mail

Dec 8, 2010, 10:57 PM

Post #2 of 14 (956 views)
Permalink

Re: Testing needed [In reply to]

o_O I don't see grsecurity there! Am I blind?

.config - Linux Kernel v2.6.36-hardened-r5 Configuration
──────────────────────────────────────────────────────────────────────────────
┌─────────────────────────── Security options ────────────────────────────┐
│ Arrow keys navigate the menu. <Enter> selects submenus --->. │
│ Highlighted letters are hotkeys. Pressing <Y> includes, <N> excludes, │
│ <M> modularizes features. Press <Esc><Esc> to exit, <?> for Help, </> │
│ for Search. Legend: [*] built-in [ ] excluded <M> module < > │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ -*- Enable access key retention support │ │
│ │ [*] Enable the /proc/keys file by which keys may be viewed │ │
│ │ [*] Enable different security models │ │
│ │ [ ] Enable the securityfs filesystem │ │
│ │ [*] Socket and Networking Security Hooks │ │
│ │ [ ] XFRM (IPSec) Networking Security Hooks │ │
│ │ [ ] Security hooks for pathname based access control │ │
│ │ [ ] Enable Intel(R) Trusted Execution Technology (Intel(R) TXT) │ │
│ │ [ ] NSA SELinux Support │ │
│ │ [ ] Simplified Mandatory Access Control Kernel Support │ │
│ │ [ ] TOMOYO Linux Support │ │
│ │ [ ] AppArmor support (NEW) │ │
│ │ [ ] Integrity Measurement Architecture(IMA) │ │
│ │ Default security module (Unix Discretionary Access Controls) │ │
│ │ │ │
│ │ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────────────────┤
│ <Select> < Exit > < Help > │
└─────────────────────────────────────────────────────────────────────────┘

On Wed, Dec 08, 2010 at 11:37:28PM -0500, Anthony G. Basile wrote:
> Hi everyone,
>
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels. The ebuilds just hit the tree.
>
> Can I get feedback on how those kernels fair on x86 and amd64 arches? I
> don't want to introduce new bugs that can be avoided. I hope to mark
> them stable in about one week.
>
> Thanks.
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Developer

dev-random at mail

Dec 8, 2010, 11:03 PM

Post #3 of 14 (947 views)
Permalink

Re: Testing needed [In reply to]

Upd: all the hardened stuff seems to be commented out in ebuild!

franxisco1988 at gmail

Dec 9, 2010, 12:18 AM

Post #4 of 14 (943 views)
Permalink

Re: Testing needed [In reply to]

El 09/12/10 08:03, dev-random [at] mail escribi�:
> Upd: all the hardened stuff seems to be commented out in ebuild!
>
>
Same here, I'll try to post a new ebuild so we can do the trial with
proper instructions on how to run it :D

Attachments:

signature.asc (0.26 KB)

tom at whyscream

Dec 9, 2010, 12:33 AM

Post #5 of 14 (959 views)
Permalink

Re: Testing needed [In reply to]

On 09/12/10 07:57, dev-random [at] mail wrote:
>
> o_O I don't see grsecurity there! Am I blind?
>

Hi,

Confirmed for both kernel versions (on both arches).

--
Regards,
Tom

Attachments:

signature.asc (0.26 KB)

franxisco1988 at gmail

Dec 9, 2010, 12:36 AM

Post #6 of 14 (950 views)
Permalink

Re: Testing needed [In reply to]

El 09/12/10 09:33, Tom Hendrikx escribió:
> On 09/12/10 07:57, dev-random [at] mail wrote:
>> o_O I don't see grsecurity there! Am I blind?
>>
> Hi,
>
> Confirmed for both kernel versions (on both arches).
>
2.6.32 too? OMFG!

Ok I opened bug #348238 to track the issue and will have working ebuilds
for 2.6.36 in half an hour tops, for 2.6.32 will take a bit more time.

Attachments:

signature.asc (0.26 KB)

franxisco1988 at gmail

Dec 9, 2010, 1:19 AM

Post #7 of 14 (945 views)
Permalink

Re: Testing needed [In reply to]

Ok here is a small overlay to fix the trouble at least to me added grsec
and compiled, couldn't try booting still. Also blocks the bad kernels :D

Please remove it when bug 348238 is fixed. I'll notify it in this thread
anyway.

To make it run:
Extract it anywhere, I use /usr/local/portage/local-portage/:
mkdir -p
tar -xvzf fix_kernels.tgz /usr/local/portage/local-portage/

Add to your /etc/make.conf:
PORTDIR_OVERLAY="/usr/local/portage/local-portage/"

PD: I know I may not be following all the ebuild guidelines in the
overlay, sorry about that QA I'm still learning and this is urgent.

Attachments:

fix_kernels.tgz (19.7 KB)

signature.asc (0.26 KB)

blueness at gentoo

Dec 9, 2010, 3:15 AM

Post #8 of 14 (952 views)
Permalink

Re: Testing needed [In reply to]

On 12/09/2010 02:03 AM, dev-random [at] mail wrote:
>
> Upd: all the hardened stuff seems to be commented out in ebuild!
>

I just fixed it in the tree. Please resync in a few hours and test again.

--
Anthony G. Basile, Ph.D.
Gentoo Developer

powerman at powerman

Dec 9, 2010, 6:27 AM

Post #9 of 14 (955 views)
Permalink

Re: Testing needed [In reply to]

Hi!

On Wed, Dec 08, 2010 at 11:37:28PM -0500, Anthony G. Basile wrote:
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels. The ebuilds just hit the tree.

While trying to build hardened-sources-2.6.36-r5 I notice it break
compatibility with:
app-emulation/virtualbox-modules-3.1.8
app-emulation/vmware-modules-235
x11-drivers/nvidia-drivers-195.36.31

All fail with similar errors related to 'ioctl' field like this one:
vmmon-only/linux/driver.c:422: error:
‘struct file_operations’ does not contain element ‘ioctl’

So, probably some other versions of these packages has to be stabilized
together with .36 kernel. Keeping in mind there no stable .36 in
vanilla-sources or gentoo-sources yet…

--
WBR, Alex.

franxisco1988 at gmail

Dec 9, 2010, 7:53 AM

Post #10 of 14 (941 views)
Permalink

Re: Testing needed [In reply to]

El 09/12/10 05:37, Anthony G. Basile escribi�:
> Hi everyone,
>
> I need to fast track stabilize hardened-sources-2.6.32-r30 and
> hardened-sources-2.6.36-r5 because of a local root exploit on all
> earlier kernels. The ebuilds just hit the tree.
>
> Can I get feedback on how those kernels fair on x86 and amd64 arches? I
> don't want to introduce new bugs that can be avoided. I hope to mark
> them stable in about one week.
>
> Thanks
Well for the record, the bug #348238 has been closed and the changes
corrected and propagated, all those of you using the micro overlay to
solve the problem should delete it and fallaback to the 2.6.36-r5 and
2.6.32-r30 kernels (after checking they apply the grsec patches).

Thanks for your uderstanding.

Attachments:

signature.asc (0.26 KB)

franxisco1988 at gmail

Dec 9, 2010, 9:46 AM

Post #11 of 14 (937 views)
Permalink

Re: Testing needed [In reply to]

El 09/12/10 05:37, Anthony G. Basile escribi�:
> Can I get feedback on how those kernels fair on x86 and amd64 arches? I
> don't want to introduce new bugs that can be avoided. I hope to mark
> them stable in about one week.

Both, 2.6.32-r30 and 2.6.36-r5 compile, boot and seem to run on my AMD64.

I'll keep testing 2.6.36-r5 and report is issues appear :D

PD: Again, no more stressful mornings please :P

Attachments:

signature.asc (0.26 KB)

powerman at powerman

Dec 9, 2010, 12:20 PM

Post #12 of 14 (938 views)
Permalink

Re: Testing needed [In reply to]

Hi!

I've successfully compiled and boot 2.6.36-hardened-r5 on X86 with this
in /etc/portage/package.keywords:
=app-emulation/vmware-modules-238.3
=app-emulation/vmware-workstation-7.1.3.324285
=x11-libs/libview-0.6.6
=x11-drivers/nvidia-drivers-260.19.26
=media-video/nvidia-settings-256.52

Everything works fine, but I notice new errors (probably harmless) in
kernel log on each VMware guest OS start:

2010-12-09_20:06:42.20788 kern.alert: grsec: Illegal instruction occurred at 08151ab6 in /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-vmx:8858] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/runit[runit:1] uid/euid:0/0 gid/egid:0/0
2010-12-09_20:06:42.20792 kern.alert: grsec: Segmentation fault occurred at (nil) in /opt/vmware/lib/vmware/bin/vmware-vmx[vmware-vmx:8858] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/runit[runit:1] uid/euid:0/0 gid/egid:0/0
2010-12-09_20:06:42.20793 kern.debug: /dev/vmmon[8858]: PTSC: initialized at 2400008000 Hz using TSC

--
WBR, Alex.

tom at whyscream

Dec 21, 2010, 2:59 AM

Post #13 of 14 (838 views)
Permalink

Re: Testing needed [In reply to]

On 09/12/10 12:15, Anthony G. Basile wrote:
> On 12/09/2010 02:03 AM, dev-random [at] mail wrote:
>>
>> Upd: all the hardened stuff seems to be commented out in ebuild!
>>
>
> I just fixed it in the tree. Please resync in a few hours and test again.
>

I have both kernels running since previous weekend (so 9+ days) without
any issues.

--
Regards,
Tom

Attachments:

signature.asc (0.26 KB)

blueness at gentoo

Dec 21, 2010, 11:34 AM

Post #14 of 14 (845 views)
Permalink

Re: Testing needed [In reply to]

On 12/21/2010 05:59 AM, Tom Hendrikx wrote:
> On 09/12/10 12:15, Anthony G. Basile wrote:
>> On 12/09/2010 02:03 AM, dev-random [at] mail wrote:
>>>
>>> Upd: all the hardened stuff seems to be commented out in ebuild!
>>>
>>
>> I just fixed it in the tree. Please resync in a few hours and test again.
>>
>
> I have both kernels running since previous weekend (so 9+ days) without
> any issues.
>
> --
> Regards,
> Tom
>

Thanks, I just stabilized hardened-sources-2.6.32-r31 and
hardened-sources-2.6.36-r6 which are almost identical to the ones tested.

--
Anthony G. Basile, Ph.D.
Gentoo Developer

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads