Re: [Vserver] vserver and grsec

From: Daniel Ortiz <zaterio_at_othernet.cl>
Date: Wed 01 Mar 2006 - 13:04:58 GMT
Message-Id: <20060301130531.44A5B56DA8F@daffy.hulpsystems.net>

Rik Bobbaers schrieb:
 
>hey all,
>
>for those interested...
>i took a vanilla linux 2.6.14.4 kernel
>patched it with an updated version of grsec 2.1.7
>and applied vserver 2.1.0 patch (including the sendfile patch and a
>"optimisation" for some weirdness in grsec)
>
>i put it all in a patch , which can be located at:
>http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff.gz
>http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff
>
>1 thing... if you can't start your vservers and get the following error
>message:
>vcontext: vc_set_cflags(): Operation not permitted
>you need to enable capabilities in chroots. you can do this with:
>echo 0 > /proc/sys/kernel/grsecurity/chroot_caps
>(or the appropriate sysctl command ;))
>
>if people think it 's a good thing to merge the patches... just let me
know,
>i'll see what i can do to keep this a little bit up to date.
>
>have fun all!
>
>
>Works like a charm :-) I don't use the PAX part, but no problems with
>vserver and proc_security/randomness features.
>
>Thanks a lot!
>
>Merry Xmas,
>Oliver

 

In the last two weeks I was trying to run a grsec-vserver kernel, with no
results:

 

I take the same kernel (2.6.14.4 kernel) and patch with
patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff

witch:

 

match -p0 < patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff

PAX is disabled, when
I try to run gradm 2.17 or gradm 2.18 the system says to me:
 
"incompatible gradm and grsecutity versions #
 
Vserver and grsecurity compile options:
 
 
# Linux VServer
#
CONFIG_VSERVER_LEGACY=y
# CONFIG_VSERVER_LEGACY_VERSION is not set
CONFIG_VSERVER_DYNAMIC_IDS=y
# CONFIG_VSERVER_NGNET is not set
CONFIG_VSERVER_COWBL=y
CONFIG_VSERVER_PROC_SECURE=is not set
CONFIG_VSERVER_HARDCPU=y
CONFIG_VSERVER_HARDCPU_IDLE=y
# CONFIG_INOXID_NONE is not set
# CONFIG_INOXID_UID16 is not set
# CONFIG_INOXID_GID16 is not set
CONFIG_INOXID_UGID24=y
# CONFIG_INOXID_INTERN is not set
# CONFIG_INOXID_RUNTIME is not set
# CONFIG_XID_TAG_NFSD is not set
CONFIG_XID_PROPAGATE=y
CONFIG_VSERVER_DEBUG=y
CONFIG_VSERVER_HISTORY=y
CONFIG_VSERVER_HISTORY_SIZE=64

 

 

#
# Grsecurity
#
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MEDIUM is not set
CONFIG_GRKERNSEC_HIGH=y
# CONFIG_GRKERNSEC_CUSTOM is not set
 
#
# Address Space Protection
#
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
 
#
# Role Based Access Control Options
#
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
 
#
# Filesystem Protections
#
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=is not set
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=is not set
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=is not set
 
#
# Kernel Auditing
#
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
 
#
# Executable Protections
#
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_RANDPID=y
# CONFIG_GRKERNSEC_TPE is not set
 
#
# Network Protections
#
CONFIG_GRKERNSEC_RANDNET=y
CONFIG_GRKERNSEC_RANDSRC=y
# CONFIG_GRKERNSEC_SOCKET is not set
 
#
# Sysctl support
#
CONFIG_GRKERNSEC_SYSCTL=y
CONFIG_GRKERNSEC_SYSCTL_ON=y
 
#
# Logging Options
#
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=4
# CONFIG_KEYS is not set
# CONFIG_SECURITY is not set

 

 

 

_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Wed Mar 1 13:06:41 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 01 Mar 2006 - 13:06:44 GMT by hypermail 2.1.8