On 01/25/2011 09:19 AM, Thomas Sachau wrote: > Am 25.01.2011 13:26, schrieb Anthony G. Basile: >> Hi hardened users, >> >> Currently, when configuring the hardened kernel, the user is presented >> with some predefined Security Levels. (Security options -> Grsecuirty >> -> Security Level). Four of these are set by Gentoo >> >> Hardened Gentoo [server] >> Hardened Gentoo [server no rbac] >> Hardened Gentoo [workstation] >> Hardened Gentoo [workstation no rbac] >> >> These are defined so as to maximize security while minimizing breakage >> with Gentoo software. I'm proposing to change this to >> >> Hardened Gentoo [server] >> Hardened Gentoo [workstation or virtualization host] >> >> One change will be to remove the "no rbac" option which is easily turned >> on/off at Security options -> Grsecuirty -> Role Based Access Control >> Options -> Disable RBAC system. The default will be on (ie do not >> disable rbac). Even if the users doesn't want to use RBAC and still >> enables it, there is no harm done since RBAC simply be available but not >> used unless turned on by gradm. >> >> The other change will be to add a "virtualization host" option. >> Currently these settings are identical to the workstation and so are >> coalesced, but may change. I am trying to make the hardened kernel >> compatible with VirtualBox and kvm, but there are some security settings >> which will most likely *always* break virtualization and will need to be >> turned off. >> >> This is work in progress and testing is appreciated. The ebuilds are on >> my overlay. >> >> > > My suggestion, as talked about in IRC: > > server profile with UDEREF and KERNEXEC forced on > workstation profile with UDEREF and KERNEXEC default enabled > virtualization profile with UDEREF and KERNEXEC default disabled > > While virtualbox and kvm currently have issues with both options, this may > change in the future. To > be able to easily test it, those options should not be forced off, but > default disabled. > > Since most other apps for workstations should work with both options, they > should be default > enabled. Since there might be some special issue with some specific desktop > app, it should be able > to disable those options, so not forced on for them. >
Hi everyone, its been a while since I visited this issue, but I've finally made the change. Its still experimental, but preliminary testing shows that nothing is broken. Hopefully it will also be useful. Currently, the following ebuilds have the same codebase hardened-sources-2.6.37-r2 <-> hardened-sources-2.6.37-r3 hardened-sources-2.6.32-r37 <-> hardened-sources-2.6.32-r38 The only difference is the higher rev number has the new predefined GRSEC/PaX settings. Please test and let me know. -- Anthony G. Basile, Ph.D. Gentoo Developer
