# hardened + ck patchsets = ?

## Veldrin

Dear All,

I recently came up with the 'stupid' idea of combining the hardened patchset (as available via portage) with the ck patchset (taken of con kolivas' page).

As both sets patch the same part of the kernel source, a little handy work is necessary to get all patches to apply cleanly. 

(no, there is no ebuild available)

I haven't done any benchmark tests, but IMO the kernel feels faster and more responsive than a plain hardened kernel. 

how bad is that combination?

ck focuses on interactivity, while hardened focuses on security: do the work well together or am I trying to move into opposite directions?

This is not a support question, but I'd like to hear some additional opinions. 

V.

----------

## PaulBredbury

 *Veldrin wrote:*   

> opinions

 

I would call "hardened" overkill. I chose AppArmor instead.

----------

## aCOSwt

Hmmm... the idea is not stupid... a priori!

blueness also played that sort of game some time ago : http://archives.gentoo.org/gentoo-hardened/msg_925f75467534309229c3921d6963837b.xml

Might be interesting to ask him why he stopped immediately after his first try though.

EDIT : Oh, BTW, I, personally would have done things just... the other way round.   :Twisted Evil: 

----------

## Veldrin

 *Quote:*   

> I would call "hardened" overkill. I chose AppArmor instead.

 

I thought AppArmor was to protect 'server' services, and not for desktop/notebook environments. 

I did not mention it, but I run that kernel on my desktop and notebook. I do not see any advantage in running it on my server.

On the other hand, I mainly/only use the PaX part of hardened. I gave some tries to grsec, but I would never work. I guess I have not tried hard enough. 

How well is AppArmor supported/developed nowadays?

the last time i check (a few months back) it seemed rather quiet, if not already dead.

OTOH, pax/grsec is also in maintenance only mode. 

 *Quote:*   

> EDIT : Oh, BTW, I, personally would have done things just... the other way round. 

 

What do you mean by the other way around? Started with CK-Sources and applied hardened on top?

If I find some time, I might poke blueness about it. From the post, it seems that he wanted to add BFS-only (and not the entire patchset), but exactly the BFS part is troublesome.

----------

## PaulBredbury

 *Veldrin wrote:*   

> not for desktop/notebook environments

 

Lolwut?   :Laughing:   AppArmor is installed and active by default in Ubuntu (including protection for java in firefox), and I think in Opensuse also. Most Ubuntu users probably don't even notice it.

Setting up custom, tight profiles for e.g. firefox and evolution gives me a warm fuzzy feeling of protectedness. Especially with the recent java exploit.

----------

## 188562

 *Quote:*   

> no, there is no ebuild available

 

As part of sys-kernel/geek-sources is not only ck, grsecurity/hardened patchset… And there is wiki

----------

## 188562

…unfortunately last 4420_grsecurity-2.9.1-3.7.1-201301041854.patch not normally applied to the 3.7.2

and vanilla ck & grsecurity can also conflict

----------

## Veldrin

 *PaulBredbury wrote:*   

>  *Veldrin wrote:*   not for desktop/notebook environments 
> 
> Lolwut?    AppArmor is installed and active by default in Ubuntu (including protection for java in firefox), and I think in Opensuse also. Most Ubuntu users probably don't even notice it.
> 
> Setting up custom, tight profiles for e.g. firefox and evolution gives me a warm fuzzy feeling of protectedness. Especially with the recent java exploit.

 I take every thing back, and state the opposite. 

Is there any good documentation on how to configure that java protection on firefox? Or some other 'Office Applications' if applicable/usable?

@init_6: I forgot about the custom patchsets. Although I do not like heavily patched kernel sources (IMO/IME they tend to be unstable), the geek-sources look intriguing.

V.

----------

## 188562

 *Veldrin wrote:*   

> @init_6: I forgot about the custom patchsets. Although I do not like heavily patched kernel sources (IMO/IME they tend to be unstable), the geek-sources look intriguing.

 

I played a little with 3.7.1… so

```
# set grsecurity first in order

> echo 'GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch"' > /etc/portage/kernel.conf
```

1) GrSecurity+bfq

```
> USE="bfq grsecurity" ebuild geek-sources-3.7.1.ebuild compile

 * linux-3.7.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                               [ ok ]

 * patch-3.7.1.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                                 [ ok ]

>>> Unpacking source...

 * Extract the sources ...                                                                                             [ ok ]

 * Update to latest upstream ...

 * Applying patch-3.7.1.xz ...                                                                                         [ ok ]

>>> Source unpacked in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work

>>> Preparing source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...

 * Use GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch" from /etc/portage/kernel.conf

 Generated by patch_maker.sh script v-0.5

 Grabbed on 2013-01-15 12:06:54 EET

 url: git://git.overlays.gentoo.org/proj/hardened-patchset.git

 local branch: master

 tracking branch: refs/heads/master

 tracking remote: origin

 * GrSecurity patches - http://grsecurity.net http://www.gentoo.org/proj/en/hardened

 * Applying 4420_grsecurity-2.9.1-3.7.1-201301041854.patch ...                                                         [ ok ]

 * Applying 4425_grsec_remove_EI_PAX.patch ...                                                                         [ ok ]

 * Applying 4430_grsec-remove-localversion-grsec.patch ...

 * Skipping empty patch --> 4430_grsec-remove-localversion-grsec.patch                                                 [ ok ]

 * Applying 4435_grsec-mute-warnings.patch ...                                                                         [ ok ]

 * Applying 4440_grsec-remove-protected-paths.patch ...                                                                [ ok ]

 * Applying 4450_grsec-kconfig-default-gids.patch ...                                                                  [ ok ]

 * Applying 4465_selinux-avc_audit-log-curr_ip.patch ...                                                               [ ok ]

 * Applying 4470_disable-compat_vdso.patch ...                                                                         [ ok ]

 Generated by patch_maker.sh script v-0.5

 Grabbed on 2013-01-09 10:58:53 EET

 From: http://algo.ing.unimo.it/people/paolo/disk_sched/patches/3.7.0-v5r1

 * Budget Fair Queueing Budget I/O Scheduler - http://algo.ing.unimo.it/people/paolo/disk_sched/

 * Applying 0001-block-cgroups-kconfig-build-bits-for-BFQ-v5r1-3.7.patch ...                                           [ ok ]

 * Applying 0002-block-introduce-the-BFQ-v5r1-I-O-sched-for-3.7.patch ...                                              [ ok ]

acpi-ec-add-delay-before-write.patch Oops: ACPI: EC: input buffer is not empty, aborting transaction - 2.6.32 regression https://bugzilla.kernel.org/show_bug.cgi?id=14733#c41

nouveau_therm_alarms-3.7.patch thx ROKO__! from https://gitorious.org/linux-nouveau-pm/linux-nouveau-pm/commits/thermal

3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch fix dvb issues see: http://forum.manjaro.org/index.php?topic=1108.0

3.7.0-fat.patch fix cosmetic fat issue https://bugs.archlinux.org/task/32916

3.7.1-watchdog-fix-disable-enable-regression.patch fix watchdog enable/disable regression https://bugs.archlinux.org/task/33095

kernel-37-gcc47-1.patch.gz Patch source to enable more gcc CPU optimizatons via the make nconfig http://repo-ck.com/source/gcc_patch/kernel-37-gcc47-1.patch.gz

 * Fixes for current kernel

 * Applying acpi-ec-add-delay-before-write.patch ...                                                                   [ ok ]

 * Applying nouveau_therm_alarms-3.7.patch ...                                                                         [ ok ]

 * Applying 3.7.0-fat.patch ...                                                                                        [ ok ]

 * Applying 3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch ...                                    [ ok ]

 * Applying 3.7.1-watchdog-fix-disable-enable-regression.patch ...                                                     [ ok ]

 * Applying kernel-37-gcc47-1.patch.gz ...

 * Skipping patch --> kernel-37-gcc47-1.patch.gz                                                                       [ ok ]

 * Set extraversion in Makefile

 * Copy current config from /proc

 * Cleanup backups after patching

 * Compile gen_init_cpio

make: Entering directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'

cc -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -Wl,-O1 -Wl,--as-needed -Wl,--warn-once -Wl,--hash-style=gnu  gen_init_cpio.c   -o gen_init_cpio

make: Leaving directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'

 * kernel: >> Running oldconfig... ...                                                                                 [ ok ]

 * kernel: >> Running modules_prepare... ...                                                                           [ ok ]

 * Live long and prosper.

>>> Source prepared.

>>> Configuring source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...

>>> Source configured.

>>> Compiling source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...

>>> Source compiled.
```

2) GrSecurity+ck

```
> USE="ck grsecurity" ebuild geek-sources-3.7.1.ebuild compile

 * linux-3.7.tar.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                               [ ok ]

 * patch-3.7.1.xz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                                 [ ok ]

 * patch-3.7-ck1.lrz SHA256 SHA512 WHIRLPOOL size ;-) ...                                                              [ ok ]

>>> Unpacking source...

 * Extract the sources ...                                                                                             [ ok ]

 * Update to latest upstream ...

 * Applying patch-3.7.1.xz ...                                                                                         [ ok ]

>>> Source unpacked in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work

>>> Preparing source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...

 * Use GEEKSOURCES_PATCHING_ORDER="grsecurity vserver bfq ck genpatches ice imq reiser4 rifs rt bld uksm aufs mageia fedora suse debian pardus pld zfs branding fix zen upatch" from /etc/portage/kernel.conf

 Generated by patch_maker.sh script v-0.5

 Grabbed on 2013-01-15 12:06:54 EET

 url: git://git.overlays.gentoo.org/proj/hardened-patchset.git

 local branch: master

 tracking branch: refs/heads/master

 tracking remote: origin

 * GrSecurity patches - http://grsecurity.net http://www.gentoo.org/proj/en/hardened

 * Applying 4420_grsecurity-2.9.1-3.7.1-201301041854.patch ...                                                         [ ok ]

 * Applying 4425_grsec_remove_EI_PAX.patch ...                                                                         [ ok ]

 * Applying 4430_grsec-remove-localversion-grsec.patch ...

 * Skipping empty patch --> 4430_grsec-remove-localversion-grsec.patch                                                 [ ok ]

 * Applying 4435_grsec-mute-warnings.patch ...                                                                         [ ok ]

 * Applying 4440_grsec-remove-protected-paths.patch ...                                                                [ ok ]

 * Applying 4450_grsec-kconfig-default-gids.patch ...                                                                  [ ok ]

 * Applying 4465_selinux-avc_audit-log-curr_ip.patch ...                                                               [ ok ]

 * Applying 4470_disable-compat_vdso.patch ...                                                                         [ ok ]

 * Con Kolivas high performance patchset - http://users.on.net/~ckolivas/kernel

 * Applying patch-3.7-ck1.lrz ...

 * Skipping patch --> patch-3.7-ck1.lrz                                                                                [ ok ]

acpi-ec-add-delay-before-write.patch Oops: ACPI: EC: input buffer is not empty, aborting transaction - 2.6.32 regression https://bugzilla.kernel.org/show_bug.cgi?id=14733#c41

nouveau_therm_alarms-3.7.patch thx ROKO__! from https://gitorious.org/linux-nouveau-pm/linux-nouveau-pm/commits/thermal

3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch fix dvb issues see: http://forum.manjaro.org/index.php?topic=1108.0

3.7.0-fat.patch fix cosmetic fat issue https://bugs.archlinux.org/task/32916

3.7.1-watchdog-fix-disable-enable-regression.patch fix watchdog enable/disable regression https://bugs.archlinux.org/task/33095

kernel-37-gcc47-1.patch.gz Patch source to enable more gcc CPU optimizatons via the make nconfig http://repo-ck.com/source/gcc_patch/kernel-37-gcc47-1.patch.gz

 * Fixes for current kernel

 * Applying acpi-ec-add-delay-before-write.patch ...                                                                   [ ok ]

 * Applying nouveau_therm_alarms-3.7.patch ...                                                                         [ ok ]

 * Applying 3.7.0-fat.patch ...                                                                                        [ ok ]

 * Applying 3.7.0-Fix-DVB-ioctls-failing-if-frontend-open-closed-too-fast.patch ...                                    [ ok ]

 * Applying 3.7.1-watchdog-fix-disable-enable-regression.patch ...                                                     [ ok ]

 * Applying kernel-37-gcc47-1.patch.gz ...

 * Skipping patch --> kernel-37-gcc47-1.patch.gz                                                                       [ ok ]

 * Set extraversion in Makefile

 * Copy current config from /proc

 * Cleanup backups after patching

 * Compile gen_init_cpio

make: Entering directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'

cc -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -march=core2 -O2 -ftree-vectorize -pipe -mstackrealign --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=1024 -mssse3 -mfpmath=sse,387 -mtune=generic -falign-functions=4 -fforce-addr -floop-block -floop-interchange -floop-strip-mine -fno-ident -fomit-frame-pointer -ftracer -ftree-loop-distribution -fweb -Wl,-O1 -Wl,--as-needed -Wl,--warn-once -Wl,--hash-style=gnu  gen_init_cpio.c   -o gen_init_cpio

make: Leaving directory `/var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek/usr'

 * kernel: >> Running oldconfig... ...                                                                                 [ ok ]

 * kernel: >> Running modules_prepare... ...                                                                           [ ok ]

 * Live long and prosper.

>>> Source prepared.

>>> Configuring source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...

>>> Source configured.

>>> Compiling source in /var/tmp/portage/sys-kernel/geek-sources-3.7.1/work/linux-3.7.1-geek ...

>>> Source compiled.
```

----------

## PaulBredbury

After you've installed AppArmor:

```
man apparmor.d
```

And look at all the examples in /etc/apparmor.d/

----------

## 188562

3) GrSecurity+all

http://pastebin.com/pwDxjNPa

As you can see GrSecurity not compatible only with the CK and uksm. And I have not tried to build or use.

----------

## Veldrin

 *PaulBredbury wrote:*   

> After you've installed AppArmor:
> 
> ```
> man apparmor.d
> ```
> ...

 

I seem to be missing the example profiles. 

at least if i emerge apparmor-utils (which pulls in the rest), /etc/apparmor.d is empty. 

I unpacked them directly from the tarball, so I can get at least some parts working. 

I am lazy, therefore I try to borrow as many parts as possible form apparmor.net and/or ubuntu.

I am getting the following error on booting a kernel with apparmor enabled (3.7.1 + hardened + ck). 

```
root@belshirash ~ # aa-status 

apparmor module is loaded.

You do not have enough privilege to read the profile set.

root@belshirash security # /etc/init.d/apparmor start

 * Starting apparmor ...

grep: /proc/modules: No such file or directory

 *   apparmor compatibility is not present in the kernel                                                                                   [ !! ]

 * ERROR: apparmor failed to start
```

To be honest, I have not configured much, so I may be, that I have missed some important part. any hint would be nice.

NB: I am running a complete monolithic kernel - module support has been completely disabled!

@init_6: Thanks again for the brief tests.

I guess I have to add another overlay - *sigh*

V.

----------

## PaulBredbury

When you compile apparmor, use e.g.:

```
  pushd . &&

  cd profiles &&

  make &&

  make install &&

  popd
```

Compile firefox with this patch, so the /usr/lib/ dirname doesn't change.

----------

## 188562

 *Veldrin wrote:*   

> @init_6: Thanks again for the brief tests.
> 
> I guess I have to add another overlay - *sigh*

 

If you need GrSecurity with ck then you have to fix yourself GrSecurity or ck… Others overlays will not help

----------

