2.6.10 grsec on AMD64

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

2.6.10 grsec on AMD64

Postby amax » Mon Jan 10, 2005 11:08 pm

Hi all!


I have some results (w/o libsafe). Are they ok?
It works almost stable, except if I disable
"Paging based non-executable pages" I get many oops on while trying run init process

The patchset used grsecurity-2.1.0-2.6~0-200501081640.patch or previous ;-)

I have enought time for help with testing grsec with any new kernels and patchsets combinations

Currently I am trying to combine oracle + grsec




amazing ~ # paxtest kiddie
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org>
Released under the GNU Public Licence version 2 or later

Mode: kiddie
Linux amazing 2.6.10-gentoo-r2-grsec #1 Sun Jan 9 22:31:34 NOVT 2005 x86_64 AMD
Athlon(tm) 64 Processor 3200+ AuthenticAMD GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 25 bits (guessed)
Heap randomisation test (ET_EXEC) : 13 bits (guessed)
Heap randomisation test (ET_DYN) : 32 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (ET_DYN) : No randomisation
Shared library randomisation test : 25 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 32 bits (guessed)
Return to function (strcpy) : paxtest: bad luck, try different compiler options.
Return to function (memcpy) : Killed
/usr/bin/paxtest: line 38: 29273 Killed /usr/lib/paxtest/$i
/usr/bin/paxtest: line 38: 24969 Killed /usr/lib/paxtest/$i
Executable shared library bss : Killed
Executable shared library data : Killed



All my system is USE=hardened and recompiled completely with -O2 after emerging binutils, gcc and glibc

here is my emerge info


amazing ~ # emerge info
Portage 2.0.51-r8 (hardened/amd64, gcc-3.4.3, glibc-2.3.4.20041102-r0, 2.6.10-gentoo-r2-grsec x86_64)
=================================================================
System uname: 2.6.10-gentoo-r2-grsec x86_64 AMD Athlon(tm) 64 Processor 3200+
Gentoo Base System version 1.6.8
Python: dev-lang/python-2.3.4 [2.3.4 (#1, Jan 9 2005, 01:38:54)]
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [disabled]
dev-lang/python: 2.3.4
sys-devel/autoconf: 2.13, 2.59-r6
sys-devel/automake: 1.8.5-r2, 1.5, 1.6.3, 1.7.9, 1.4_p6, 1.9.3
sys-devel/binutils: 2.15.92.0.2-r2
sys-devel/libtool: 1.5.10-r2
virtual/os-headers: 2.6.8.1-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=athlon64 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/home/gentoo/distfiles1"
FEATURES="autoaddcvs autoconfig buildpkg distlocks loadpolicy sandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/dis ... ons/gentoo"
LDFLAGS=""
MAKEOPTS=""
PKGDIR="/home/gentoo/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/home/gentoo/portage"
PORTDIR_OVERLAY="/home/gentoo/local"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac aalib acl acpi alsa amd64 apache2 apm arts artswrappersuid async audiofile avi bash-completion berkdb bitmap-fonts bluetooth bzip2 bzlib cdparanoia cdr cjk crypt cups curl dga dio dlloader doc dv dvd dvdr dvdread dxr3 encode erandom ex exif extensions fam fame ffmpeg flac freetype ftp gd gif gmp gnokii gphoto2 gpm gtk gtk2 guile hardened iconv imagemagick imlib innodb irda java jpeg jpeg2k junit kde lcms libwww lm_sensors lzo mad matroska mbox md5sum mhash mikmod mime mjpeg mng motif mp3 mpeg mysql ncurses network nls no-old-linux nptl nptlonly nvidia oav odbc ogg oggvorbis opengl pam pcap pda pdflib php pic pie png pnp posix postgres python qdbm qt quicktime readline recode rtc samba sdl slang slp sms sndfile speex ssl svg tetex theora threads tiff transcode truetype truetype-fonts unicode usb uudeview vcdimager virus-scan wmf wsconvert xine xml xml2 xmms xpm xsl xv xvid xvmc yv12 zlib linguas_ru"



amazing ~ # gcc -v
Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/specs
Configured with: /var/tmp/portage/gcc-3.4.3-r1/work/gcc-3.4.3/configure --enable-version-specific-runtime-libs --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/3.4.3 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/3.4.3 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/3.4.3/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/3.4.3/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/include/g++-v3 --host=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --enable-__cxa_atexit --enable-clocale=gnu --with-system-zlib --disable-checking --disable-werror --disable-libunwind-exceptions --enable-shared --enable-threads=posix --disable-multilib --disable-libgcj --enable-languages=c,c++
Thread model: posix
gcc version 3.4.3 20041125 (Gentoo Hardened Linux 3.4.3-r1, ssp-3.4.3-0, pie-8.7.7)


/amax
email me amax at mail ru
amax
 
Posts: 10
Joined: Wed Jul 14, 2004 5:53 am

my grsec options in kernel

Postby amax » Mon Jan 10, 2005 11:10 pm

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
CONFIG_GRKERNSEC_HIGH=y
# CONFIG_GRKERNSEC_CUSTOM is not set

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
# CONFIG_GRKERNSEC_IO is not set
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
# CONFIG_GRKERNSEC_PROC_IPADDR is not set
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDISN=y
CONFIG_GRKERNSEC_RANDID=y
CONFIG_GRKERNSEC_RANDSRC=y
CONFIG_GRKERNSEC_RANDRPC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
# CONFIG_GRKERNSEC_SYSCTL is not set

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_RANDEXEC=y
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set
amax
 
Posts: 10
Joined: Wed Jul 14, 2004 5:53 am


Return to grsecurity support