Category Archives: GrSecurity

grsecurity logo

grsecurity + phc undervolting patch

In an effort to get the same performance from this laptop as I used when it ran windows (and I could use the excellent ThrottleStop program to undervolt), I did some investigation into how to undervolt while running Linux.

Linux PHC Project

Linux PHC Project

The solution turns out to be the Linux PHC Project.  There wasn’t a patch for Linux 4.1.4, but looking in the forums a bit I found a patch for 3.1, which cleanly applied to 4.1.4.  I didn’t bother with their suggested way of building a module, I just patched the file in the Linux source tree directly and rebuilt the kernel.  Because the tree was already patched with grsecurity, the diff spat out a bunch of offset changes, but all the changes applied correctly which is all that matters.  I checked to ensure that nothing grsecurity/PaX related had been mangled.

Recompile, reboot and now I have the following sysfs interfaces:

/sys/devices/system/cpu/cpu*/cpufreq/phc_default_rawcontrol
/sys/devices/system/cpu/cpu*/cpufreq/phc_default_vids
/sys/devices/system/cpu/cpu*/cpufreq/phc_rawcontrols
/sys/devices/system/cpu/cpu*/cpufreq/phc_version
/sys/devices/system/cpu/cpu*/cpufreq/phc_vids

Writing same values there as I used to use under Windows and now my laptop is so much cooler.  Before when I built a kernel it was getting up towards 90c and it was limiting the CPU to keep itself getting hotter.  Now I can build a kernel, I get nowhere over 75c and it stays at the full 2.20Ghz the entire time.

Original VIDs: cat phc_default_vids 
47 41 28 18 11
New VIDs: cat phc_vids 
30 27 23 13 6

Excellent!  Thanks Linux PHC Project.

grsecurity logo

grsecurity on a Xubuntu laptop

I installed xubuntu on my now very old Dell XPS m1330 the other day.  Windows 10 just wasn’t cutting it for me, though that’s probably because I had an excess of crap installed.  It was taking upwards of 5 minutes to reboot though, so I thought I’d try something else.

Xubuntu was the obvious choice, Gnome can die in a fire and KDE while nice is too UI heavy for what I want.  I love XFCE, it’s small, clean and does a great job, so xubuntu got the nod.

Once installed and working, I then downloaded the 4.1.3 kernel source and the latest grsecurity patch for it.  Patched the source and fired up make menuconfig.  Ubuntu being ubuntu it comes with pretty much every freaking option, module and setting defaulted to yes.  Rather than piss about making a nice small custom kernel, I just went with all the defaults, then turned on pretty much every grsec feature.  The few items I kept disabled are:

They’re only minor things (well, the RBAC system isn’t really “minor”), all of the main memory protection features (thanks, PaX) and the other grsecurity hardening features are enabled.

Then it’s just a matter of making sure all the right packages are installed to be able to do a “make-kpkg –initrd kernel_image” and waiting for a very long time.  Oh and it helps to set the CONCURRENCY_LEVEL to 2, which is how many Core’s the CPU has.  Then you wait about 3 hours…

Finally you end up with a .deb that you install and off you go.  Install it and reboot and….

It worked first go. Not that I really expected otherwise.  The only problems encountered are the expected ones, some binaries don’t like the hardened memory protections, so those protections have to turned off on a per-binary basis.  So it’s apt-get install pax-utils and apt-get install paxctl.

The binaries I adjusted flags for are:

  • chrome
  • thunderbird
  • python3
paxctl -cpm /path/to/binary

c: creates a pax header, m: disables mProtect, p: disables pageexec

The only problems I’ve faced apart from this are issues with the sound module.  Under a default ubuntu kernel the sound just works.  Under my compiled kernel, the module needs to be removed and re-added for sound to work, and then it fails if you suspend the laptop.  I’m 99% sure this isn’t anything to do with grsecurity, but rather the fact it’s a vanilla kernel source, not a heavily-patched ubuntu kernel source with fixes for all those sorts of things.  I’ll get to the bottom of it at some stage.

But the laptop works and works well.  I’m not using the proprietary Nvidia drivers, just the nouveau ones.  Suspend works.  It’s still fast and browsing is quick, despite all of the PaX and grsecurity options turned on, some of which have a known performance impact (I’m looking at you Userland Dereference and Memory Sanitize)

The whole process has been easy, quick and painless.  The hardest part has been waiting for the kernel to compile.  When I have a bit more free time I’ll go through and build an image for just this laptop, disabling all the drivers and options that are totally unnecessary.  I’ll end up with a much leaner kernel that’s quick to compile.  But this image I have now could be given to anyone with a x64 system and it’d boot and work perfectly.

Thanks spender, pipacs and emese for their work on PaX/grsecurity.

Tim

UPDATE: A couple of updates to this post.  Firstly, the issue with sound was caused by CONFIG_GRKERNSEC_SYSFS_RESTRICT being set.  Disabling this, building again works.  I also found that I was getting slower performance, disabling uderef on the command line as well as slab sanitization has fixed this, giving me excellent performance again.  Beause they’re command line, I can re-enable them easily withouth having to recompile.  My full linux boot command is:

BOOT_IMAGE=/boot/vmlinuz-4.1.4-grsec root=/dev/sda1 ro reboot=w nouveau.runpm=1 nouveau.pstate=1 pax_nouderef pax_sanitize_slab=off pax_extra_latent_entropy

Finally, I sat down over the weekend and stripped out all the unneeded modules and settings.  Ubuntu by default sets a lot of debugging features, so all those are turned off now in the aims of squeezing a bit more performance out of the laptop.  Plus now my kernel image is ~25Mb, instead of ~250mb.

Raspberry Pi

My Pi arrived yesterday.  I plugged it in for 30 minutes while I baked a cake for Sarah’s birthday. Seems pretty neat, I’m impressed that the distribution I chose to test with (OpenELEC) detected the Wifi Dongle straight away and just worked with it.

The major issue at the moment is I don’t have a decently sized MicroSD card.   I have a 2G one, which was fine for some basic testing.  And it’s actually fine for OpenELEC as well, but it’s a GUI oriented thing and I don’t want that, I want something that’s basically a Linux Distro (i.e. Rasbian)

Will have to get it a decent SD Card today.  And the case that my workmate 3D Printed for it should be arriving in the next day or two.

I’ll be crabbed off if I can’t get grsecurity running on it…

grsecurity RBAC system

A few notes I wrote down about enabling the (very intense) grsecuriy RBAC system on micro.

  1. If you have role_allow_ip defined and you try and “do something” from an IP not in that allowed list – you’ll end up in the default role.  That can be hard to figure out at first, you know you have a role setup for the user, but you’re not ending up in it.  That’s why.
  2. A subject in a less specific policy with an “i” will override a more specific subject.i.e.This “/” subject:subject / o {    /bin        rxi}will win over this:subject /bin/bash o {}/bin/bash will use the polices from the first subject, not the second.
  3. To be able to unlink (delete!) a file, you need both d and the w subject flags.  d alone isn’t enough.
  4. Be VERY careful with the C subject flag.  It will kill everything with the same IP address, silently.  Your MYSQL server might be dead and you won’t know it.
  5. Shared Libraries (.so) need the rx flag, x alone isn’t enough.
    subject /bin/bash {    

    /     
    /lib            rx
    }
  6. The -V flag to gradm -E will give some useful information!

Paxtest: grsecurity vs vanilla kernel

Vanilla Kernel

timh@Jumphost-Lab:~$ paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Writing output to /home/timh/paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Mode: Blackhat
Linux Jumphost-Lab 3.2.0-29-generic 46-Ubuntu SMP Fri Jul 27 17:03:23 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable shared library bss : Killed
Executable shared library data : Killed
Executable anonymous mapping (mprotect) : Vulnerable
Executable bss (mprotect) : Vulnerable
Executable data (mprotect) : Vulnerable
Executable heap (mprotect) : Vulnerable
Executable stack (mprotect) : Vulnerable
Executable shared library bss (mprotect) : Vulnerable
Executable shared library data (mprotect): Vulnerable
Writable text segments : Vulnerable
Anonymous mapping randomisation test : 9 bits (guessed)
Heap randomisation test (ET_EXEC) : 14 bits (guessed)
Heap randomisation test (PIE) : 16 bits (guessed)
Main executable randomisation (ET_EXEC) : No randomisation
Main executable randomisation (PIE) : 8 bits (guessed)
Shared library randomisation test : 10 bits (guessed)
Stack randomisation test (SEGMEXEC) : 19 bits (guessed)
Stack randomisation test (PAGEEXEC) : 19 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (memcpy) : Killed
Return to function (strcpy, PIE) : Vulnerable
Return to function (memcpy, PIE) : Killed
Grsecurity/PaX hardened kernel

Grsecurity Enabled Kernel

tim@beaker ~> paxtest blackhat
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Writing output to paxtest.log
It may take a while for the tests to complete
Test results:
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@adamantix.org> Released under the GNU Public Licence version 2 or later
Mode: blackhat
Linux beaker 3.6.8-grsec 1 SMP Wed Nov 28 09:30:28 NZDT 2012 i686 GNU/Linux
Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Executable stack (mprotect) : Killed
Anonymous mapping randomisation test : 18 bits (guessed)
Heap randomisation test (ET_EXEC) : 22 bits (guessed)
Heap randomisation test (ET_DYN) : 24 bits (guessed)
Main executable randomisation (ET_EXEC) : 18 bits (guessed)
Main executable randomisation (ET_DYN) : 18 bits (guessed)
Shared library randomisation test : 18 bits (guessed)
Stack randomisation test (SEGMEXEC) : 24 bits (guessed)
Stack randomisation test (PAGEEXEC) : 24 bits (guessed)
Return to function (strcpy) : Vulnerable
Return to function (strcpy, RANDEXEC) : Vulnerable
Return to function (memcpy) : Vulnerable
Return to function (memcpy, RANDEXEC) : Vulnerable
Executable shared library bss : Killed
Executable shared library data : Killed
Writable text segments : Killed