grsecurity forums

[dunker]

I prefer making use of Hardened-Gentoo as a Linux OS because the system is well-supported, diverse and the kernel builds easily enough while providing significant security benefits. This combination works for me since I am not an aspiring programmer, though I do certainly appreciate the advantage of a secure OS. I also find myself making frequent use of virtualization because, among other reasons, it helps the learning process to be able to practice and rebuild while working with various scenarios.

There is one virtualization scenario, however, which has me stumped, and I would like to consider a different approach than what I have done so far. Despite my considerable effort to find or work out a solution, I cannot get Virtualbox to run on a properly hardened Gentoo OS. This same problem has vexed many others, based on what I have read while researching it; but if I can believe what I have read, at least a few others did manage to get it working by making some changes to the hardened tool chain while building the program. Be that as it may, when I tried to follow their same approach, it still did not allow me to get it working as it appeared to have done for them.

I have read that by "turning off" the hardened gcc program, using instead a vanilla gcc, while making the build of Virtualbox and its modules, leaving all the rest of the tool-chain hardened, these others have succeded in building a properly functioning program. This did not work for me. I cannot make Virtualbox run at all when I have a hardened-Gentoo kernel, even though I have tried temporarily disabling the hardened gcc program beforehand. However, I can build it just fine while using a regular Gentoo kernel and regular gcc: it starts up and functions properly.

I would like to try to get the program built and functioning within a hardened kernel, as the others claim to have done, even though it may end up being a kernel that is not fully hardened. Therefore, since I have gotten it to run on a totally non-hardened kernel, it occured to me that I might try incrementally using a kernel that was gradually hardened, part by part, starting from a non-hardened state until I reach a point where I can go no further, within the limitations of time I can allow. So, my question is, can someone point to a guide for such an approach, one which would start with a slightly hardened kernel and gradually add more rules to the final result? In other words, how would I go about finding which rules to start with during the procedure using the method of "menuconfig" for building it?

[PaX Team]

did you try to use grsecurity's automatic configuration option?

[dunker]

> "...did you try to use grsecurity's automatic configuration option?"

Absolutely. Automatic configuration, no hardware virtualization, Virtualbox as host, desktop, performance as priority. I had the most recent hardened-surces for building the kernel, along with gradm.

[PaX Team]

can you post the resulting config (grsec/PaX bits are enough) and any error messages (especially kernel logs) you got when you tried to run vbox?

[dunker]

I appreciate your taking the time to look at this matter. Let me add the point that there is no sense of urgency because I am using the machine presently without a hardened Gentoo OS because I needed to get VirtualBox running on it regardless. As this is the only machine where I have to make use of VirtualBox, I will need to make a backup now and then reinstall hardened Gentoo on it in order to get you the information you asked for. That's no problem, but it will take a little time to arrange it.

If you do not hear back from me for a few days, please bear with me. I will get the information because I do really want to have VirtualBox on hardened Gentoo, if at all possible. Thanks.