Hi Ricardo, It has been some time I've looked into these security-hardening systems, but I was under the impression that grsecurity, selinux and apparmor were somewhat competative solutions for the same problems.
I know there are some differences (path-based vs inode based) and that grsecurity provides a bunch of generic improvements (process hiding for example) too. However, I've never heard of combining grsec with apparmor. Why would one do that? On Wed, Aug 7, 2013 at 2:59 PM, Ricardo M. Correia <rcorr...@wizy.org> wrote: > Hi, > > I'm attaching a simple patch that allows you to use a kernel with > grsecurity, PaX and AppArmor enabled, just in case it's useful to anyone. > > It requires the following changes to be applied first: > https://github.com/NixOS/nixpkgs/pull/802 > > I am not sending a pull request for this new kernel directly because it > needs further work to allow customization of the grsec kernel config options > from /etc/nixos/configuration.nix and I don't have time to investigate how > to do that right now. > > In particular, you need to specify whether the machine is a server or a > desktop; whether it's running as a VM guest, host or simply on bare metal; > whether hardware or software virtualization is being used and whether you > prefer more security or more performance. > > You can accomplish that by changing the GRKERNSEC_CONFIG_* options which you > can see in the patch (I enabled the ones I personally use). > > You can find a reference for these options here: > https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Configuration_Method > > In order to use the new kernel and features, you also need to add > "boot.kernelPackages = pkgs.linuxPackages_3_2_hardened;" and > "security.apparmor.enable = true;" to your configuration. > > You may also need to create AppArmor profiles for the programs you are > interested in confining. > > If you are doing chroot builds and running the new kernel, package > installation may fail due to "chmod +s" protection (apparently it can be > used to break out of the chroot). > > As a quick workaround, you can disable this protection temporarily during > package installation: > # sysctl -w kernel.grsecurity.chroot_deny_chmod=0 > You should probably re-enable it afterwards. I'm sure there are better ways > to do this, though. > > To make sure the kernel has been properly installed and is running, I > suggest running "dmesg" as a normal user: it should fail with "operation not > permitted". > > I hope this is useful to someone. > > PS: you can re-enable the following kernel config options, but you will lose > the corresponding security features: > > Xen support -> disables "Prevent invalid userland pointer dereference" > (MEMORY_UDEREF) > Hibernation -> disables "Sanitize all freed memory" (MEMORY_SANITIZE) > > Thanks, > Ricardo > > > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev