I am interested in grsecurity mostly because of the many generic improvements that you mentioned.
The reason I'm using Apparmor for process confinement is that NixOS supports it already. In the near future I would like to use grsec's RBAC system instead of Apparmor, as it seems just as simple but more secure. But since Apparmor already worked and the grsecurity kernel patch includes the apparmor patches, I did not feel the urgency to replace Apparmor with RBAC right now. Thanks, Ricardo On Aug 7, 2013 3:54 PM, "Mathijs Kwik" <math...@bluescreen303.nl> wrote: Hi Ricardo, It has been some time I've looked into these security-hardening systems, but I was under the impression that grsecurity, selinux and apparmor were somewhat competative solutions for the same problems. I know there are some differences (path-based vs inode based) and that grsecurity provides a bunch of generic improvements (process hiding for example) too. However, I've never heard of combining grsec with apparmor. Why would one do that? On Wed, Aug 7, 2013 at 2:59 PM, Ricardo M. Correia <rcorr...@wizy.org> wrote: > Hi, > > I'm attaching a simple patch that allows you to use a kernel with > grsecurity, PaX and AppArmor enabled, just in case it's useful to anyone. > > It requires the following changes to be applied first: > https://github.com/NixOS/nixpkgs/pull/802 > > I am not sending a pull request for this new kernel directly because it > needs further work to allow customization of the grsec kernel config options > from /etc/nixos/configuration.nix and I don't have time to investigate how > to do that right now. > > In particular, you need to specify whether the machine is a server or a > desktop; whether it's running as a VM guest, host or simply on bare metal; > whether hardware or software virtualization is being used and whether you > prefer more security or more performance. > > You can accomplish that by changing the GRKERNSEC_CONFIG_* options which you > can see in the patch (I enabled the ones I personally use). > > You can find a reference for these options here: > https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Configuration_Method > > In order to use the new kernel and features, you also need to add > "boot.kernelPackages = pkgs.linuxPackages_3_2_hardened;" and > "security.apparmor.enable = true;" to your configuration. > > You may also need to create AppArmor profiles for the programs you are > interested in confining. > > If you are doing chroot builds and running the new kernel, package > installation may fail due to "chmod +s" protection (apparently it can be > used to break out of the chroot). > > As a quick workaround, you can disable this protection temporarily during > package installation: > # sysctl -w kernel.grsecurity.chroot_deny_chmod=0 > You should probably re-enable it afterwards. I'm sure there are better ways > to do this, though. > > To make sure the kernel has been properly installed and is running, I > suggest running "dmesg" as a normal user: it should fail with "operation not > permitted". > > I hope this is useful to someone. > > PS: you can re-enable the following kernel config options, but you will lose > the corresponding security features: > > Xen support -> disables "Prevent invalid userland pointer dereference" > (MEMORY_UDEREF) > Hibernation -> disables "Sanitize all freed memory" (MEMORY_SANITIZE) > > Thanks, > Ricardo > > > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev