[Nix-dev] Fwd: Hardened Linux kernel with grsec/PaX + AppArmor

Wed Aug 7 14:59:50 CEST 2013

Hi,

I'm attaching a simple patch that allows you to use a kernel with
grsecurity, PaX and AppArmor enabled, just in case it's useful to anyone.

It requires the following changes to be applied first:
https://github.com/NixOS/nixpkgs/pull/802

I am not sending a pull request for this new kernel directly because it
needs further work to allow customization of the grsec kernel config
options from /etc/nixos/configuration.nix and I don't have time to
investigate how to do that right now.

In particular, you need to specify whether the machine is a server or a
desktop; whether it's running as a VM guest, host or simply on bare metal;
whether hardware or software virtualization is being used and whether you
prefer more security or more performance.

You can accomplish that by changing the GRKERNSEC_CONFIG_* options which
you can see in the patch (I enabled the ones I personally use).

You can find a reference for these options here:
https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Configuration_Method

In order to use the new kernel and features, you also need to add
"boot.kernelPackages = pkgs.linuxPackages_3_2_hardened;" and
"security.apparmor.enable = true;" to your configuration.

You may also need to create AppArmor profiles for the programs you are
interested in confining.

If you are doing chroot builds and running the new kernel, package
installation may fail due to "chmod +s" protection (apparently it can be
used to break out of the chroot).

As a quick workaround, you can disable this protection temporarily during
package installation:
# sysctl -w kernel.grsecurity.chroot_deny_chmod=0
You should probably re-enable it afterwards. I'm sure there are better ways
to do this, though.

To make sure the kernel has been properly installed and is running, I
suggest running "dmesg" as a normal user: it should fail with "operation
not permitted".

I hope this is useful to someone.

PS: you can re-enable the following kernel config options, but you will
lose the corresponding security features:

Xen support -> disables "Prevent invalid userland pointer dereference"
(MEMORY_UDEREF)
Hibernation -> disables "Sanitize all freed memory" (MEMORY_SANITIZE)

Thanks,
Ricardo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20130807/2eace42f/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grsec.patch
Type: application/octet-stream
Size: 2530 bytes
Desc: not available
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20130807/2eace42f/attachment.obj 