On 2016-12-17 2:59 PM, podmo wrote:
> Reporting success with Coldkernel on Qubes R3.2 with Debian 8 template.
> Followed the steps in
> https://coldhak.ca/blog/2016/12/12/coldkernel-qubes-1.html and worked
> first try. I did some further tweaking afterwards to allow me to lock it
> down a bit more in the future with TPE and keep my template minimal.
>
> In the linux-4.8.13 directory structure:
> Copied u2mfn.c to drivers/misc and set up references in Kconfig and Makefile
> make menuconfig
>
> GRKERNSEC_TPE_ALL=y [kernel.grsecurity.tpe_restrict_all]
> GRKERNSEC_TPE_INVERT=y[kernel.grsecurity.tpe_invert]
> PAX_MEMORY_SANITIZE=y [not sure if Xen sanitizes freed memory within
> the
> VM, appears to only be on shutdown]
> PAX_MEMORY_STACKLEAK=y
> CONFIG_XEN_BLKDEV_BACKEND=m [believe this is necessary for the USB VM,
> crashed Qubes Manager on attaching USB device to other VM without it]
> CONFIG_XEN_NETDEV_BACKEND=m [and this for Net VM]
> CONFIG_U2MFN=y[to let me avoid DKMS]
>
> fakeroot make bindeb-pkg -j 4 LOCALVERSION=-coldkernel-grsec-1
> KDEB_PKGVERSION=4.8.13-coldkernel-grsec-1
>
> Then, copied the following to minimal template:
> linux-image-4.8.13-coldkernel-grsec-amd64.deb
> paxctld_1.2.1-1_amd64.deb
> paxctld.conf
> /usr/share/initramfs-tools/hooks/qubes_vm
> /usr/share/initramfs-tools/scripts/local-top/qubes_cow_setup
>
> Added the following file on minimal:
> /etc/sysctl.d/81-grsec.conf
> kernel.grsecurity.deny_new_usb = 0
> kernel.grsecurity.tpe_invert = 1
> kernel.grsecurity.tpe_restrict_all = 1
>
> And ran on it:
>
> sudo dpkg -i paxctld_1.2.1-1_amd64.deb [or use one from testing repository]
> sudo apt install grub2-common
>
> sudo groupadd -g 9001 grsecproc
> sudo groupadd -g 9002 tpeuntrusted
> sudo groupadd -g 9003 denysockets
> sudo cp paxctld.conf /etc/paxctld.conf
> sudo paxctld -d
> sudo systemctl enable paxctld
> sudo dpkg -i linux-image-4.8.13-coldkernel-grsec-amd64.deb
> sudo mkdir /boot/grub
> sudo update-grub2
>
> sudo shutdown -h now
>
> Changed it to use PVGRUB2 and minimal template worked too. Applied it to
> sys-net, sys-firewall, sys-usb and all function (after adding some
> packages I missed, etc.) except with two issues so far:
> 1. qvm-copy-to-vm completes successfully but throws an error to the
> console at the end about failed to open /proc: permission denied.
> 2. On full reboot, all sys-VMs start automatically but networking doesn't
> work right until I shut down whonix and firewall, then start them back up
> in the proper order. Not sure if it's because they are just booting too
> fast or if some trigger isn't getting communicated properly.
>
>
Thanks! I guess those missing Xen modules were what was needed for proxy
and netVMs to work. Haven't tested sys-usb yet, but I got that same
problem you had where Qubes Manager would crash when attaching devices
so if you say it's now fixed, I'll believe it.
I managed to get dispVMs to work as well, but I had to trick Qubes
Manager to do it. For whatever reason, when you run
qvm-create-default-dvm, it'll take whatever kernel is set to default
under Global Settings and apply it to future dispVMs. So if you have it
set to use a normal kernel, it'll always use a normal kernel for
dispVMs; changing the kernel on the template or the generated dvm
template has no effect. So if you set the default kernel to PVGRUB2 in
Global Settings before running qvm-create-default-dvm, that'll allow
future dispVMs to boot with the coldkernel (just make sure to switch it
back when you're done so your other VMs will boot normally).
Also, from the Gentoo Grsecurity handbook, some other sysctl options
people might want to play with:
Secure chroot:
kernel.grsecurity.chroot_deny_fchdir = 1
kernel.grsecurity.chroot_deny_shmat = 1
kernel.grsecurity.chroot_deny_sysctl = 1
kernel.grsecurity.chroot_deny_unix = 1
kernel.grsecurity.chroot_enforce_chdir = 1
kernel.grsecurity.chroot_findtask = 1
According to the Arch wiki, these settings may have problems with
containers, but if you don't use them in your vm, then you might as well
set them:
kernel.grsecurity.chroot_caps = 1
kernel.grsecurity.chroot_deny_chmod = 1
kernel.grsecurity.chroot_deny_chroot = 1
kernel.grsecurity.chroot_deny_mknod = 1
kernel.grsecurity.chroot_deny_mount = 1
kernel.grsecurity.chroot_deny_pivot = 1
kernel.grsecurity.chroot_restrict_nice = 1
Lock Settings to prevent them from being changed (only activate when
you're sure you've got everything set up the way you want to):
kernel.grsecurity.grsec_lock = 1
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
