Hi all
noticing that CC may be coming at some point, and whilst recently taking the
latest turunk for a spin, I noticed that the kernel 3.14.25 matched the
current grsecurity patch (which is in long term support against 3.14) so I
thought I'd see what it would take to apply it to OpenWRT.
It turned out to be easier than I'd hoped - although I've only tested it
against ar71xx and the carambola2 specifically.
The best way turned out to be to apply it after all the openwrt patches, then
I had to fix about four rejects and some quirks introduced by other OpenWRT
patches, the biggest challenge being something that OpenWRT does for MIPS in
the module loading code needing to be fixed to work with grsec changes. The
other main one is that compat wireless ath9k driver uses a macro that needs to
be changed for grsec. Thereafter I was able to get my board to run with a
-grsec kernel with the following caveats:
* because OpenWRT turns off kernel MODVERSIONs, grsecurity requires RANDSTRUCT
turned off
* my particular config uncovered that openssl doesnt build with NX for mips
and programs libcrypto.so were actually intercepted by grsec! So I had to fix
that by adding a gnu-stack patch to several assembler-(generating) files
So far I have managed to test the following features of grsec with success:
* mount auditing
* time change auditing
* NX protection on MIPS (which doesnt have h/w support on my SOC)
I'll end up pushing my modified OpenWRT build to github soonish
This did the job for me, but I figured it was worth sharing as the buzzword
"Internet of Things" looms large and openwrt is increasing adoption on
products such as the vocore and wrtnode...
I wonder what people feel the priority might be to get this tidied up and
integrated into the main openwrt - or would it be infeasible to properly test
and support?
Noting that there will likely be other packages that I dont currently use that
could need NX fixing on MIPS for starters, so wider implementation would
depend on the priorities of other users of different packages.
There is also the risk is that mixing the openwrt package suite with grsec may
introduce inadvertent security holes - my changes "seem" OK but I havent yet
done the deep research to know for sure. This can be mitigated by making an
GRSEC config option optional with a big warning in menuconfig for those who
want to do their own diligence. Perhaps the option in the config would also
only be enabled for a limited subset of boards where people have made the
effort to patch & test, as an 'experimental' feature.
ar7240> bootm
## Booting image at 83000000 ...
Image Name: MIPS OpenWrt Linux-3.14.25
Created: 2014-12-04 13:48:17 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 4796179 Bytes = 4.6 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x83000040 ...OK
Uncompressing Kernel Image ... OK
Starting kernel ...
[ 0.000000] Linux version 3.14.25-grsec (andrew@atlantis4) (gcc version
4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43488) ) #6 Fri Dec 5 00:17:55 ACDT 2014
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR9330 rev 1
...
[ 21.562499] grsec: mount of devpts to /dev/pts by /sbin/procd[procd:1]
uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
...
[ 26.583332] grsec: time set by /bin/busybox[date:665] uid/euid:0/0
gid/egid:0/0, parent /etc/init.d/system[S10system:660] uid/euid:0/0 gid/egid:0/0
...
root@OpenWrt:/sbin# opkg search /wbin/wget2nand
[ 306.541661] grsec: denied marking stack executable as requested by
PT_GNU_STACK marking in /usr/lib/libcrypto.so.1.0.0 by /bin/opkg[opkg:1040]
uid/euid:0/0 gid/egid:0/0, parent /bin/bus0
--A
--
http://blog.oldcomputerjunk.net
https://au.linkedin.com/in/amcdonnell
https://launchpad.net/~andymc73
https://github.com/andymc73
Twitter: @pastcompute
GPG: http://www.andrewmcdonnell.net/gpg.html
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
