# Hardened-sources patched up with Xen patches. Possible?

## nlindblad

Hello fellow Gentooists.

After a few days reading about the Gentoo Hardened Project I decided to set up a test server to apply what I'd learnt. It all worked like a charm and I configured a system intended to act as a shell server. I used the hardened-sources kernel with grsecurity activated along with PaX and the hardened toolchain. The shell server part took advantage of the chroot-ssh patch for opensshd that let's you chroot a user directly at login into a chroot I put up at /chroot. Inside that chroot the users had limited tools and binaries to avoid abuse.

I was very happy with this configuration and I found it very flexible (and secure). But then I realized a chroot is still a part of the main system (same kernel, same ABI, same API, etc.) so I started looking for alternatives and especially at Xen.

I'm not really preparded to sacrifice the hardened kernel and toolchain to get Xen compatibilty. The ideal setup would be to use a hardened system as a hypervisor and setup a hardened system as non-privileged domain too.

I've been nagging about this on #gentoo-hardened for quite a while asking whether a setup like that would be possible without heavy system modifications or ending up with a broken system.

I don't feel like I've got a good answer enough on this topic. So now I'm asking you:

Would it be possible to run a kernel inside Xen that has the hardened patches applied to it (grsecurity and PaX)?

----------

## Unther

You could try it and see...

It is possible nobody has yet!

----------

## meetra

bump, interesting stuff.

----------

## piersdd

I agree that hardened sources for Xen will be essential.

Any machine that offers services to the net really should be hardened with pic and rsbac/selinux as a minimum.

The prospect of being able to run mulitple virtual servers that can migrate to machines in the even of system failure seams to me to be the future of network services.

Imagine taking a server offline to upgrade hardware and having the virtual server/service migrate to other hardware automatically whilst offline. Or snapshotting a virtual machine, installing new drivers or whatever, bringing online, taking offline due to conflicts, resuming the snapshot, all with other virtual servers taking up the slack, all in the knowledge that the actual underlying hardware was fully redundant.

These sorts of features, which I envisage to be manatory on five-9s services like virtual PBXs, really should be protected to the full.  Bring on hardened and xen.

How can I help?

Piers

----------

## nlindblad

How about starting a small project analyzing the possibilities of running Gentoo Hardened under Xen and if necessary report what would need to be improved in order to make it work?

----------

## piersdd

not that there ever is 'a [single|good] solution'

I understand that GNAP uses the hardened kernel, GRsec, PaX, PIE/SSP.

given that, in my opinion, the funkest feature of Xen's implementation of para-virtualisation is,

the "decoupling the operating system and its applications from the underlying physical server..." thereby the capacity for "dynamic provisioning and migration in cases of server failure.."  "..less than 100 ms migration"

To me this spells out that the hardware really becomes an appliance. Pool'em togther. Virtual servers drift from one appliance to the next, network storage comes into play. Probably AFS suits best.

So we need GNAP extentions for Xen. Is that possible? In addition to the previously discussed need for hardened sources within Xen.

end rant.

links:

http://www.gentoo.org/proj/en/base/embedded/gnap.xml

http://www.xensource.com/files/xen_3.0_datasheet.pdf

----------

## kang

Btw, while RSBAC does not hook yet into Xen, latest RSBAC svn and latest Xen mercurial repos patch, compile and work fine together (means you can have RSBAC protecting your hypervisor using traditional target list[1]. there should be the special XEN targets someday ^^)

I dont know about the SELinux+Xen status.

[1] RSBAC targets: http://rsbac.org/documentation/rsbac_handbook/architecture_implementation/targets_and_requests

edit:

1 - we just changed the target&request link in documentation  :Wink: 

2 - while updating doc i found this out: 

http://wiki.adamantix.org/cgi-bin/wiliki.cgi?XenSupport

Someguy having rsbac+xen made this small info page (on adamantix)Last edited by kang on Wed May 17, 2006 3:29 pm; edited 1 time in total

----------

## nlindblad

 *kang wrote:*   

> Btw, while RSBAC does not hook yet into XEN, latest RSBAC svn and latest XEN mercurial repos patch, compile and work fine together (means you can have RSBAC protecting your hypervisor using traditional target list[1]. there should be the special XEN targets someday ^^)
> 
> I dont know about the SELinux+XEN status.
> 
> [1] RSBAC targets: http://rsbac.org/documentation/targets_and_requests

 

An interesting update, thank you for letting us know. 

Anyone who has tried the combination mentioned above? (SELinux+XEN)?

----------

## DNAspark99

well, here I am, trying right now to merge hardened+xen patches into the same kernel, not having any luck.

Any update on this?

----------

## roock

there was some interesting post in the grsecurtiy-forums about xen+grsec/pax and seems to work for x86_64. but i didn't try the patches nor didI use more than grsec/pax from the hardened-gentoo-projekt (without xen)

http://forums.grsecurity.net/viewtopic.php?t=1490

----------

