Re: [Vserver] hints on kernel configuration using Grsec and Vserver

From: Rik Bobbaers <Rik.Bobbaers_at_cc.kuleuven.be>
Date: Wed 08 Feb 2006 - 10:44:19 GMT
Message-Id: <200602081144.19221.Rik.Bobbaers@cc.kuleuven.be>

On Wednesday 08 February 2006 09:05, Thorsten Büker wrote:
> Dear list,
>
> making use of http://list.linux-vserver.org/archive/vserver/msg11839.html
> I recently patched a 2.6.14.5-Kernel as my first contact with VServer.
> After starting vprocunhide (from package util-vserver) on the Sarge system
> I tried to create a first box:
>
> vserver vhost0 build -m debootstrap --hostname vhost0.DOMAINNAME.de
> --force --context 50 -- -d sarge -m http://update.pureserver.info/debian
>
>
> After extracting all packages the process breaks...
>
> W: Failure trying to run: chroot /etc/vservers/.defaults/vdirbase/vhost0
> mount -t proc proc /proc
>
>
> ...while dmesg says:
>
> grsec: From MYIPADDRESS: denied mount of proc as
> /home/vservers/vhost0/proc from chroot by
> /home/vservers/vhost0/bin/mount[mount:105] uid/euid:0/0 gid/egid:0/0,
> parent /var/tmp/debootstrap.6KTNNr/usr/sbin/debootstrap[debootstrap:5863]
> uid/euid:0/0 gid/egid:0/0
>
>
> I assume this prevention is connected to Grsecurity's /proc-hiding, the
> relevant parts of the current kernel configuration follow below. In case
> this is correct, Grsecurity offers various ways of CONFIG_GRKERNSEC_PROC
> -- but I've got no idea, which one is the right ;-)
> Any advise from your side on a better configuration regarding the needs of
> Vserver is appreciated!

heya,

first thing... vserver uses capabilities... so you should make sure you
disable capability restrictions, otherwise, your vservers will not work...

these are my kernel options:
CONFIG_VSERVER=y
CONFIG_VSERVER_LEGACYNET=y

#
# Linux VServer
#
CONFIG_VSERVER_LEGACY=y
# CONFIG_VSERVER_LEGACY_VERSION is not set
CONFIG_VSERVER_DYNAMIC_IDS=y
# CONFIG_VSERVER_NGNET is not set
CONFIG_VSERVER_COWBL=y
CONFIG_VSERVER_PROC_SECURE=y
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_HARDCPU_IDLE=y
# CONFIG_INOXID_NONE is not set
# CONFIG_INOXID_UID16 is not set
# CONFIG_INOXID_GID16 is not set
CONFIG_INOXID_UGID24=y
# CONFIG_INOXID_INTERN is not set
# CONFIG_INOXID_RUNTIME is not set
# CONFIG_XID_TAG_NFSD is not set
CONFIG_XID_PROPAGATE=y
CONFIG_VSERVER_DEBUG=y
CONFIG_VSERVER_HISTORY=y
CONFIG_VSERVER_HISTORY_SIZE=64

#
# PaX
#
CONFIG_PAX=y

#
# PaX Control
#
CONFIG_PAX_SOFTMODE=y
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set

#
# Non-executable pages
#
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_SEGMEXEC=y
# CONFIG_PAX_DEFAULT_PAGEEXEC is not set
CONFIG_PAX_DEFAULT_SEGMEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y

#
# Address Space Layout Randomization
#
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_NOVSYSCALL=y

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
# CONFIG_GRKERNSEC_HIGH is not set
CONFIG_GRKERNSEC_CUSTOM=y

#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y

#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# CONFIG_GRKERNSEC_CHROOT_CAPS is not set

#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set

#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set

#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y

#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set

-- 
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
Rik.Bobbaers_at_cc.kuleuven.be -=- http://harry.ulyssis.org
Disclaimer:
By sending an email to ANY of my addresses you are agreeing that:
  1. I am by definition, "the intended recipient"
  2. All information in the email is mine to do with as I see fit and make 
such financial profit, political mileage, or good joke as it lends itself to. 
In particular, I may quote it on usenet.
  3. I may take the contents as representing the views of your company.
  4. This overrides any disclaimer or statement of confidentiality that may be 
included on your message. 
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Wed Feb 8 10:44:56 2006
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 08 Feb 2006 - 10:45:03 GMT by hypermail 2.1.8