# Hardened Concerns

## wswartzendruber

I have a ThinkPad T400 that has an existing Gentoo installation on it.  Here is my agenda for this system:

1. Convert the standard install into a hardened one.

2. Encrypt the root partition.

I assume the first logical step is to setup the hardened part of this.  What are the issues with converting a standard install to a hardened one?  Here's what I use mainly:

1. KDE 4.1

2. VirtualBox

And in the future:

3. DRI2 / Compositing

So far I'm eyeballing a basic hardened profile with PAX.

----------

## djinnZ

Convert to the hardened profile implicate a gcc downgrade, and this operation is easy to fail.

My humble suggestion is to rebuild from zero the entire system.

Some crappy programs as skype request the new gcc or glibc so is not easy to have them on hardened, fglrx (the ati propietary driver) is not supported on hardened kernel and at this time I am unable to use it with pax/grsec active (hardened-sources-2.6.26 vs ati-drivers-8.5x).

I have not try kde4 but kde 3.5 work fine (and the entire system, is only slower but in acceptable measure).

So think if you need really the hardened profile or only a most secure installation via hd encription.

Note than in past years and now I use only the hardened profile (selinux dropped by its requests in space and slowdown, rsbac due to its instability and because is not full documented, and pax/grsec now) on all computers without any damage. I warn you only about possibile problems but the hardened project is not an hack, is a mature full working project.

I do not find so useful encrypt the root partition (by law order I must use windows for my work so I need to share between the two OS).

If the laptop has only one user you can tink abuot a shared home, move the tmp to ram and prevent binary alteration with a file alteration monitor (fam, gamin or so others) to increase the security.

Obliviously these are only suggestions, is not wrong what you mean to do.

----------

## wswartzendruber

GCC 4.3 isn't supported on hardened?

----------

## Naib

 *wswartzendruber wrote:*   

> GCC 4.3 isn't supported on hardened?

 

officially no, there is an unofficial overlay (glad to see ppl read my siggy  :Very Happy: )

https://hardened.gentooexperimental.org/trac/secure/

no problem with kde4 with hardened gcc-4.3.*, don't know about virtualbox

----------

## Sadako

The overlay Naib pointed it is worth using, and if you're using an x86_64 desktop then you most definitely what gcc 4.

I'm using 4.2.4 from the overlay, they have 4.3 as well but it requires a lot more ebuilds from the overlay as gcc 4.3 has introduced quite a few bugs, many of them highlighted under hardened.

Virtualbox is an issue though, I can't use it with hardened sources, from 2.6.24 it freezes my box, even if I build the kernel with all grsec and pax options disabled.

I really need to file a bug report about this, but I don't actually know if this is really a pax/grsec or a virtualbox issue (either is just as likely, and I've heard bad things about how virtualbox manages the memory it assigns it's guests, which pax may well take issue with).

I do seem to be the only one experiencing this issue though, so I'd actually love to hear if you have any better luck with it.

Apart from that, hardened works great on the desktop, as long as you don't need binary xorg drivers (and with you being such a rabid intel fanboy that's not bloody likely  :Razz:  ) there shouldn't be any real issue, at the most you may need to switch to vanilla gcc for compiling a small number of packages.

Unless you're using a RBAC system, the overhead at least appears to be very low, unnoticable really.

----------

## wswartzendruber

 *Hopeless wrote:*   

> The overlay Naib pointed it is worth using, and if you're using an x86_64 desktop then you most definitely what gcc 4.
> 
> I'm using 4.2.4 from the overlay, they have 4.3 as well but it requires a lot more ebuilds from the overlay as gcc 4.3 has introduced quite a few bugs, many of them highlighted under hardened.
> 
> Virtualbox is an issue though, I can't use it with hardened sources, from 2.6.24 it freezes my box, even if I build the kernel with all grsec and pax options disabled.
> ...

 

My Vista VM has been doing fine under virtualbox-bin-2.0.4.  Is there anything that says I can't just run a hardened kernel with PAX enabled (what I'm doing now) and just enable some GCC CFLAGS?  What will difference be between that and running a hardened profile?

----------

## Sadako

 *wswartzendruber wrote:*   

> My Vista VM has been doing fine under virtualbox-bin-2.0.4.  Is there anything that says I can't just run a hardened kernel with PAX enabled (what I'm doing now) and just enable some GCC CFLAGS?  What will difference be between that and running a hardened profile?

 Umm, wait, are you saying you're using a sys-kernel/hardened-sources kernel with virtualbox, without any issues?

Son of a bitch...

Could I please see your emerge --info and the output of `grep "PAX\|GRKERNSEC"` on your kernel config?

I really don't know how much you can do with forcing CFLAGS as opposed to using a hardened profile, but for one thing the toolchain won't include the pie+other patches, and I know enabling the CFLAGS globally is frowned upon, although you'd have to ask elsewhere for why (like #gentoo-hardened  :Wink:  ).

tbh I really can't think of any good reason to do what you just suggested rather than using a hardened profile.

----------

## wswartzendruber

 *Hopeless wrote:*   

>  *wswartzendruber wrote:*   My Vista VM has been doing fine under virtualbox-bin-2.0.4.  Is there anything that says I can't just run a hardened kernel with PAX enabled (what I'm doing now) and just enable some GCC CFLAGS?  What will difference be between that and running a hardened profile? Umm, wait, are you saying you're using a sys-kernel/hardened-sources kernel with virtualbox, without any issues?
> 
> Son of a bitch...
> 
> Could I please see your emerge --info and the output of `grep "PAX\|GRKERNSEC"` on your kernel config?
> ...

 

Yes, but it's the binary release of VirtualBox, not the one compiled from source.  I haven't tried that yet.  Also, nothing is different from before except for the kernel being from hardened-sources.

Now...

emerge --info

```
Portage 2.2_rc13 (default/linux/amd64/2008.0/desktop, gcc-4.3.2, glibc-2.8_p20080602-r0, 2.6.27-hardened x86_64)

=================================================================                                               

System uname: Linux-2.6.27-hardened-x86_64-Intel-R-_Core-TM-2_Duo_CPU_P8400_@_2.26GHz-with-glibc2.2.5           

Timestamp of tree: Wed, 05 Nov 2008 01:07:03 +0000                                                              

app-shells/bash:     3.2_p39

dev-lang/python:     2.5.2-r8

dev-util/cmake:      2.6.2

sys-apps/baselayout: 2.0.0

sys-apps/openrc:     0.3.0-r1

sys-apps/sandbox:    1.2.18.1-r3

sys-devel/autoconf:  2.13, 2.63

sys-devel/automake:  1.7.9-r1, 1.9.6-r2, 1.10.1-r1

sys-devel/binutils:  2.19

sys-devel/gcc-config: 1.4.0-r4

sys-devel/libtool:   2.2.6a

virtual/os-headers:  2.6.27-r2

ACCEPT_KEYWORDS="amd64 ~amd64"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -march=native -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/config"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d"

CXXFLAGS="-O2 -march=native -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="distlocks parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-orphans userfetch"

GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"

LDFLAGS="-Wl,-O1"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage/layman/kde-testing"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="X a52 aac acl acpi aiglx aim alsa amd64 aotuv asf bash-completion berkdb bluetooth branding bzip2 cairo cdda cdparanoia cdr cli cracklib crypt dbus dri dts dvb dvd dvdr dvdread emboss encode evo examples fam fbcon ffmpeg firefox flac fortran ftp fuse gdbm gif glib glitz gpm gstreamer hal iconv imap ipod isdnlog javascript jpeg jpeg2k libnotify libwww lm_sensors lzma mad matroska matrox midi mikmod mime mmx mmxext mng mp3 mpeg msn mudflap multilib musepack ncurses nls nptl nptlonly nsplugin ogg oggvorbis opengl openmp pam pcmcia pcre pdf perl png pnp posix ppds pppd python qt3support qt4 quicktime readline reflection sdl session smp sockets speex spell spl sqlite srt sse sse2 sse3 ssl ssse3 startup-notification svg sysfs syslog szip tcl tcpd tga theora threads tiff truetype truetype-fonts unicode usb v4l2 vorbis vorbis-psy wifi wma wmf x264 xchattext xcomposite xine xml xorg xv xvid yahoo zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="intel"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
```

cat .config | grep "PAX\|GRKERNSEC"

```
# CONFIG_GRKERNSEC is not set

CONFIG_PAX=y

# CONFIG_PAX_SOFTMODE is not set

CONFIG_PAX_EI_PAX=y

CONFIG_PAX_PT_PAX_FLAGS=y

CONFIG_PAX_NO_ACL_FLAGS=y

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

CONFIG_PAX_NOEXEC=y

CONFIG_PAX_PAGEEXEC=y

CONFIG_PAX_EMUTRAMP=y

CONFIG_PAX_MPROTECT=y

# CONFIG_PAX_NOELFRELOCS is not set

CONFIG_PAX_ASLR=y

CONFIG_PAX_RANDUSTACK=y

CONFIG_PAX_RANDMMAP=y

# CONFIG_PAX_MEMORY_SANITIZE is not set

# CONFIG_PAX_REFCOUNT is not set
```

----------

## Sadako

Thank you, I'll have to play around a little, see what I have to do to get it working here.

I haven't actually booted 2.6.27 yet, so maybe it's fixed in that...

Did you run virtualbox under 2.6.26 or earlier hardened-sources?

It's the binary version I'm running as well, I need the usb functionality, and last time I tried it the OSE version needed multilib to compile (boo).

Getting back to your original post, as you'll be doing some manipulation of / in order to encrypt it anyway, why not just start a new install in a chroot using a hardened profile?

----------

## djinnZ

With the 2.6.26 there are some problem in the memory allocation, until 2.6.24 I was able to run the fglrx without problems (with limited use of pax, some options as PAX_MPROTECT must be disabled)can be the same problem with virtual box (as I have time will try it on the server).

I will take the suggestion to try the 2.6.27 also.

The strange thing is than some oders settings of the kernel as enabling preempt or disable relayfs will lock X (not exit, not report any error only loch the screen blank).

The closed drivers will run in a limited hardening but you can use it (because found a low cost 17" laptop with intel is not so easy you can only "pray" every day against nvidia/ati at this moment).

@hopeless: I have found not so slow RSBAC (grsec has a minimal ruleset now and there are no difference, later I will evaluate the impact of a complete configuration) all is determined by the complexity of the rules.

Selinux (in fact the only sensible difference between selinux and hardened profile are the selinux use flag and some masked packages) is very slow peraps and I have experienced troubles on the partitions after disabling the security labels.

Another option problematic for performance is the sanitize memory in pax, especially at compile time, my solution is to have two kernel one with for normal run and one only to run the emerge -DNu world.

Use pax without smash protections seems to be not useful to me.

----------

## Sadako

This is still kicking my ass...

wswartzendruber: could you please upload (ompload?) your full working hardened-sources 2.6.27 config, so I can see if I can get that working with just adding the hardware drivers I need?

Oh, and do I apologise wholeheartedly for the thread hijack, old chap.  :Wink: 

----------

