How well does GRsecurity get along with those security LSMs?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

How well does GRsecurity get along with those security LSMs?

Postby konst » Sat Sep 03, 2011 8:16 am

Do the LSMs step on the toes of grsecurity? Do they lessen the security provided by grsecurity?
Anyone have any experience or knowledge of how well the others play with grsecurity?
+
I don't mean SElinux but the other ones like TOMOYO and apparmor.
konst
 
Posts: 21
Joined: Fri Jul 10, 2009 8:23 am

Re: How well does GRsecurity get along with those security L

Postby LSD » Sat Sep 03, 2011 11:24 am

LSMs or all MACs including grsec's RSBAC are only your last level of defense.

Imagine attacking a server with grsec protected kernel. You already found a way how to exploit your newest imap software and you are holding a remote root in your hands. Ofc you cant browse dirs, you cant write to /*/*/bin....unfortunately the net daemon is in group with others who can use raw sockets. Just redirect ssh sessions, wait for root to log in...kaboom you have gradm password and the game is over.
LSD
 
Posts: 3
Joined: Sat Sep 03, 2011 11:16 am

Re: How well does GRsecurity get along with those security L

Postby Lox » Sun Sep 04, 2011 12:14 pm

Lox
 
Posts: 8
Joined: Sat Jul 02, 2011 7:53 pm

Re: How well does GRsecurity get along with those security L

Postby spender » Mon Sep 05, 2011 5:07 am

Grsecurity works fine with any other LSM. Ironically, if grsecurity's RBAC were implemented as an LSM, then it wouldn't co-operate with any other LSM ;)

As for LSD's comment, what he says is possible, but it's not as simple as he makes it sound. To make use of the special privilege, all the operations have to be done within the privileged task. For further reading, make note of the discussion of arbitrary code execution here:
viewtopic.php?f=7&t=2522

-Brad (from airport in Seoul)
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: How well does GRsecurity get along with those security L

Postby LSD » Mon Sep 05, 2011 8:35 am

Yeah sorry Brad. I wanted to point out how worthless are policies (mostly what LSMs are doing) compared to real kernel hardening (grsec). Attacking a grsec was never easy.
LSD
 
Posts: 3
Joined: Sat Sep 03, 2011 11:16 am


Return to grsecurity support

cron