# grsecurity out of control

## at

I am using a hardened profile and 2.6.17-hardened-r1 kernel.

grsecurity interferes (breaks) a lot of stuff on my system. This is an excerpt from dmesg:

```
# dmesg

grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 32768 for /usr/kde/3.5/bin/artsd[artsd:3386] uid/euid:1000/1000 gid/egid:100/100, parent /usr/kde/3.5/bin/kdeinit[kdeinit:17546] uid/euid:1000/1000 gid/egid:100/100

grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 32768 for /usr/kde/3.5/bin/artsd[artsd:3386] uid/euid:1000/1000 gid/egid:100/100, parent /usr/kde/3.5/bin/kdeinit[kdeinit:17546] uid/euid:1000/1000 gid/egid:100/100

grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 32768 for /usr/kde/3.5/bin/artsd[artsd:3386] uid/euid:1000/1000 gid/egid:100/100, parent /usr/kde/3.5/bin/kdeinit[kdeinit:17546] uid/euid:1000/1000 gid/egid:100/100

grsec: denied resource overstep by requesting 131072 for RLIMIT_MEMLOCK against limit 32768 for /usr/kde/3.5/bin/artsd[artsd:30220] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/nvidia-settings[nvidia-settings:12812] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8014] uid/euid:0/0 gid/egid:0/0

grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 32768 for /usr/bin/amarokapp[amarokapp:14138] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/amarok[amarok:30299] uid/euid:1000/1000 gid/egid:100/100

grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 32768 for /usr/bin/amarokapp[amarokapp:14138] uid/euid:1000/1000 gid/egid:100/100, parent /usr/bin/amarok[amarok:30299] uid/euid:1000/1000 gid/egid:100/100

grsec: denied resource overstep by requesting 131072 for RLIMIT_MEMLOCK against limit 32768 for /usr/bin/amarokapp[amarokapp:29805] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: denied resource overstep by requesting 135168 for RLIMIT_MEMLOCK against limit 32768 for /usr/bin/amarokapp[amarokapp:12272] uid/euid:1000/1000 gid/egid:100/100, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: (default:D:/sbin/gradm) grsecurity 2.1.9 RBAC system loaded by /sbin/gradm[gradm:11475] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:8014] uid/euid:0/0 gid/egid:0/0

grsec: (default:D:/) use of CAP_SYS_ADMIN denied for /usr/sbin/syslog-ng[syslog-ng:9765] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: (default:D:/) use of CAP_SYS_ADMIN denied for /usr/sbin/syslog-ng[syslog-ng:9765] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: (default:D:/) use of CAP_SYS_ADMIN denied for /usr/sbin/syslog-ng[syslog-ng:9765] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: (default:D:/) use of CAP_SYS_ADMIN denied for /usr/sbin/syslog-ng[syslog-ng:9765] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

grsec: more alerts, logging disabled for 10 seconds

grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 for /usr/bin/nvidia-settings[nvidia-settings:8202] uid/euid:1000/1000 gid/egid:100/100, parent /usr/kde/3.5/bin/kdeinit[kdeinit:17546] uid/euid:1000/1000 gid/egid:100/100
```

Here is the kernel configuration:

```
#

# Security options

#

#

# PaX

#

CONFIG_PAX=y

#

# PaX Control

#

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_EI_PAX=y

CONFIG_PAX_PT_PAX_FLAGS=y

# CONFIG_PAX_NO_ACL_FLAGS is not set

CONFIG_PAX_HAVE_ACL_FLAGS=y

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#

# Non-executable pages

#

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_MPROTECT=y

CONFIG_PAX_NOELFRELOCS=y

#

# Address Space Layout Randomization

#

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

#

# Miscellaneous hardening features

#

CONFIG_PAX_MEMORY_SANITIZE=y

#

# Grsecurity

#

CONFIG_GRKERNSEC=y

# CONFIG_GRKERNSEC_LOW is not set

# CONFIG_GRKERNSEC_MEDIUM is not set

# CONFIG_GRKERNSEC_HIGH is not set

CONFIG_GRKERNSEC_CUSTOM=y

#

# Address Space Protection

#

# CONFIG_GRKERNSEC_KMEM is not set

# CONFIG_GRKERNSEC_IO is not set

CONFIG_GRKERNSEC_PROC_MEMMAP=y

CONFIG_GRKERNSEC_BRUTE=y

# CONFIG_GRKERNSEC_MODSTOP is not set

CONFIG_GRKERNSEC_HIDESYM=y

#

# Role Based Access Control Options

#

# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#

# Filesystem Protections

#

CONFIG_GRKERNSEC_PROC=y

# CONFIG_GRKERNSEC_PROC_USER is not set

CONFIG_GRKERNSEC_PROC_USERGROUP=y

CONFIG_GRKERNSEC_PROC_GID=533

CONFIG_GRKERNSEC_PROC_ADD=y

CONFIG_GRKERNSEC_LINK=y

CONFIG_GRKERNSEC_FIFO=y

CONFIG_GRKERNSEC_CHROOT=y

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

CONFIG_GRKERNSEC_CHROOT_UNIX=y

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

CONFIG_GRKERNSEC_CHROOT_NICE=y

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

CONFIG_GRKERNSEC_CHROOT_CAPS=y

#

# Kernel Auditing

#

# CONFIG_GRKERNSEC_AUDIT_GROUP is not set

# CONFIG_GRKERNSEC_EXECLOG is not set

CONFIG_GRKERNSEC_RESLOG=y

# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set

# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set

# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set

# CONFIG_GRKERNSEC_AUDIT_IPC is not set

# CONFIG_GRKERNSEC_SIGNAL is not set

CONFIG_GRKERNSEC_FORKFAIL=y

CONFIG_GRKERNSEC_TIME=y

CONFIG_GRKERNSEC_PROC_IPADDR=y

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#

# Executable Protections

#

CONFIG_GRKERNSEC_EXECVE=y

CONFIG_GRKERNSEC_SHM=y

CONFIG_GRKERNSEC_DMESG=y

CONFIG_GRKERNSEC_RANDPID=y

CONFIG_GRKERNSEC_TPE=y

# CONFIG_GRKERNSEC_TPE_ALL is not set

CONFIG_GRKERNSEC_TPE_INVERT=y

CONFIG_GRKERNSEC_TPE_GID=448

#

# Network Protections

#

CONFIG_GRKERNSEC_RANDNET=y

# CONFIG_GRKERNSEC_SOCKET is not set

#

# Sysctl support

#

CONFIG_GRKERNSEC_SYSCTL=y

# CONFIG_GRKERNSEC_SYSCTL_ON is not set

#

# Logging Options

#

CONFIG_GRKERNSEC_FLOODTIME=10

CONFIG_GRKERNSEC_FLOODBURST=4

# CONFIG_KEYS is not set

CONFIG_SECURITY=y

# CONFIG_SECURITY_NETWORK is not set

CONFIG_SECURITY_CAPABILITIES=y

# CONFIG_SECURITY_ROOTPLUG is not set

# CONFIG_SECURITY_SECLVL is not set
```

I have tried to disable grsecurity through sysctl:

```
# sysctl -p /etc/sysctl.conf

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.icmp_echo_ignore_broadcasts = 1

kernel.panic = 3

kernel.grsecurity.resource_logging = 0

kernel.grsecurity.destroy_unused_shm = 0

kernel.grsecurity.chroot_findtask = 0

kernel.grsecurity.dmesg = 0

kernel.grsecurity.rand_pids = 0

kernel.grsecurity.tpe_gid = 0

kernel.grsecurity.tpe = 0

kernel.grsecurity.chroot_deny_sysctl = 0

kernel.grsecurity.chroot_caps = 0

kernel.grsecurity.chroot_restrict_nice = 0

kernel.grsecurity.chroot_deny_mknod = 0

kernel.grsecurity.chroot_deny_chmod = 0

kernel.grsecurity.chroot_enforce_chdir = 0

kernel.grsecurity.chroot_deny_pivot = 0

kernel.grsecurity.chroot_deny_chroot = 0

kernel.grsecurity.chroot_deny_fchdir = 0

kernel.grsecurity.chroot_deny_mount = 0

kernel.grsecurity.chroot_deny_unix = 0

kernel.grsecurity.chroot_deny_shmat = 0

kernel.grsecurity.timechange_logging = 0

kernel.grsecurity.forkfail_logging = 0

error: "kernel.grsecurity.execve_limiting" is an unknown key

kernel.grsecurity.fifo_restrictions = 0

kernel.grsecurity.linking_restrictions = 0
```

And RBAC system should be disabled:

```
#gradm -S

The RBAC system is currently disabled.
```

But as you can see in the dmesg above, they are still breaking lots of stuff, even when presumably disabled.

Why???

----------

## at

Guys, anyone?

----------

## Sachankara

Well, I know that you don't really want to read this, but "full" grsecurity support and multimedia applications don't really go hand in hand. You'll have to manually adjust all 3D related drivers and applications with paxctl to get them to even work. Also worth noticing is that most audio and video playback software (mplayer, gstreamer based applications, etc) doesn't work unless you compile them with the vanilla compiler; since they use all sorts of hackish pointers to increase execution speed, which grsecurity doesn't like at all.

If you want a more secure (than most normal systems) desktop system with minimal fuss, I'd suggest you do like this instead:

* Compile the entire system with the vanilla compiler.

* Use at least the pie, dlloader and hardened use flags for all applications/software that supports them.

* Make "strong" rules for iptables.

* Use TPE and mount /usr and /opt as read only. Mount /tmp and /home as non executeable.

* Use Bastille.

* And if you're a bit more adventureous, configure RBAC.

This will give you a multimedia system that will not terminate ugly written applications like mplayer/gstreamer, but will still keep the system rather safe. Many return-to-libc attacks are killed by glibc's own hardened "profile".

----------

## at

Hi Sachankara,

Thank you very much for your advice. This is the path I was leaning towards myself, especially that grsecurity breaks much than just multimedia applications.

A couple of more questions:

1. Can/shall I use sys-kernel/gentoo-sources?

2. Are default Shorewall rules good enough?

Thank you

----------

## Sachankara

1. You should keep using hardened-sources to keep some of the security features you get from grsecurity and PaX, like TPE, randomized pids/memory addresses/etc, chroot restrictions and more.

2. Well, I don't know about ShoreWall, since I've never used it. I just configure iptables "by hand". These are some decent rules for a desktop system (not a router):

```
# Flust all rules

iptables -F

iptables -X

# Deny all traffic, but out

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

# Allow traffic in that has established or is related to the outbound traffic

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all traffic in to the loopback interface. This is needed for some graphical applications.

iptables -A INPUT -i lo -j ACCEPT
```

----------

