gmane.linux.gentoo.hardened

Re: systemd and gentoo

Mike Frysinger — 2012-05-22T20:42:08

systemd isn't required, nor are there plans to make it required in Gentoo.  
openrc is the default and will continue to be so.

hal is dead
-mike

Re: xattr/acl/cap

Anthony G. Basile — 2012-05-21T16:34:27

oh and since /dev is tmpfs, hence the need.

< at >original poster.  turn this on, its a good thing :)

Re: Does hardened-sources include the Gentoo patchset?

Grant — 2012-05-21T06:21:54

Thanks Hinnerk.  I recently discovered the multitude of sys-kernel
packages listed at gpo.zugaina.org and I'm trying to figure them out.

- Grant

Re: xattr/acl/cap

Maxim Kammerer — 2012-05-21T00:06:35

On Mon, May 21, 2012 at 1:46 AM, Anthony G. Basile
<basile-yzvPICuk2ABaTBw8ZCwS0De48wsgrGvP< at >public.gmane.org> wrote:

If I am not mistaken, ConsoleKit uses ACLs to grant the currently
active user access to various /dev nodes. E.g., with ConsoleKit you
don't need to put users into "video", "audio" and "cdrom" groups
anymore (corresponding to v4l, sound, and dvd/cdrom devices), so
access permissions are more fine-grained and based on need.

Re: xattr/acl/cap

Anthony G. Basile — 2012-05-20T22:46:31

Oh no!  You committed a grave sin asking here ... j/k :)  You can always 
ask and if we don't know then we'll redirect.


Working on it but progress is slow in gentoo.  The biggest obstacles are 
almost out of the way though with portage and tar both supporting xattr 
now but only in ~arch.


Okay this is where I have to redirect you because I'm not aware of this 
particular issue, ie why consolekit needs tmpfs posix acls.  To be 
clear, this means acl support on files that are on a tmpfs system.  This 
was pushed upstream by redhat that needed it for selinux.  But if you're 
not running a selinux system, i'm not sure why consolekit would need this.

In general though, its safe to turn on xattr/acl/caps even if you don't 
use them, and in some cases, eg selinux or the new pax markings, you 
must have xattr.

I don't think this answers your question but it does give you more context.

Re: xattr/acl/cap

Michael Orlitzky — 2012-05-20T22:45:55

ACLs are actually very nice if you can get over the initial hurdle of
figuring out how they work. They're a lot like permissions on Windows,
except there's a highly confusing mask entry and umask plays into it...

Anyway, a lot of the time with the standard unix permissions you're
forced to give access to some people who don't need it. ACLs make it
possible to do things right.

xattr/acl/cap

Alex Efros — 2012-05-20T21:35:51

Hi!

I'm not sure is this right place to ask…

What is current status for filesystem's xattr, acl and caps?

I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someone's dependency) asked me to
enable CONFIG_TMPFS_POSIX_ACL. And I decide to check all this crap once again.

I may be wrong here, but after glance look at it I got this impression:

XATTR
    Needed only if you use ACL or CAPS (or wanna play with custom file
    attributes).
ACL
    Not sure about consolekit requirement above, but otherwise it looks
    useless (if you don't need to use complicated file permissions).
CAPS
    Looks promising, it's always good to remove suid bit, BUT:
    a)looks like only app which uses it now on my workstation is
wireshark, even /bin/ping is still installed suid
    b)pam_cap.so doesn't used by default (not sure why) so you can't change
user's default capabilities using /etc

Re: Does hardened-sources include the Gentoo patchset?

Hinnerk van Bruinehsen — 2012-05-20T20:21:13

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 20.05.2012 22:09, Grant wrote:

The ebuild names GENPATCHES_URI as a downloadsource.
In the Changelog are entries like:

14 May 2012; Anthony G. Basile <blueness-aBrp7R+bbdUdnm+yROfE0A< at >public.gmane.org>
  +hardened-sources-3.2.17.ebuild:
  Based on 3.2.17 + genpatches-3.2-14 + grsecurity-2.9-3.2.17-201205131657

Therefore I would dare to say: yes, they do. ;)

WKR
Hinnerk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPuVI5AAoJEJwwOFaNFkYcfF0H/RO6O4aKBbonbQDYiw0WGBlk
U9kOediVzA0vmfiFAPmwzxmGZWhda7rgS9oq6kFWFkk4/6njcdpQOnwOS2pnbx6B
7Z/Lp0wOlh4dd57xX/kn04IqZSsa7U9Q10Hm/G+bD3BiUn+fZLiRononC55874mi
3z6OZBa1ZA3xr4w4sYB8pze+a5rNNHQiqR9W6yCJop9PLwbQ7090HXmbutTt6Qdl
YzaWCQ2aFk1sfKfNxB5f1t591HusCuD0meTxvFQpSBsYIlfw5ml8WlEXepg0+/po
qKu8AzZXpJSn+pKcjd3Br0J3vSE8GjOPnbFWib58xrh7kxOaFeMjmoFtrmC9jMM=
=gP3l
-----END PGP SIGNATURE-----

Does hardened-sources include the Gentoo patchset?

Grant — 2012-05-20T20:09:35

Does anyone know if hardened-sources includes the Gentoo patchset?

- Grant

Re: hardened-sources-3.2.11 + i965 + x.org: possible regression

RB — 2012-05-19T16:09:46

On Thu, May 17, 2012 at 6:04 AM, Anthony G. Basile
<basile-yzvPICuk2ABaTBw8ZCwS0De48wsgrGvP< at >public.gmane.org> wrote:

Bugged, #416637.  Only attached one .config since it's now clear
precisely what set of options creates this.

Re: hardened-sources-3.2.11 + i965 + x.org: possible regression

RB — 2012-05-19T06:22:42

None intentionally, and none unintentionally that I can tell.
SLUB_DEBUG is on, but that's forced on by having SLUB as the
allocator.  DEBUG_KERNEL is also on, but so I can enable TIMER_STATS
(for xfce4-power-manager).

Re: hardened-sources-3.2.11 + i965 + x.org: possible regression

PaX Team — 2012-05-18T22:18:14


do you have any slab debugging options enabled by any chance?

Re: hardened-sources-3.2.11 + i965 + x.org: possible regression

RB — 2012-05-18T19:29:24

On Fri, May 18, 2012 at 2:11 AM, Hinnerk van Bruinehsen
<h.v.bruinehsen-j/7cz5qe3tpn68oJJulU0Q< at >public.gmane.org> wrote:

That's because (as I just found by testing) PAX_KERNEXEC "mitigates"
the oops.  To put it in something of a boolean form, the following
produces the crashes:

PAX_MEMORY_UDEREF && !(PAX_MEMORY_UDEREF && PAX_KERNEXEC)

Re: systemd and gentoo

Kevin Chadwick — 2012-05-18T10:39:56

On Fri, 18 May 2012 10:29:41 +0000
Pavel Labushev wrote:


has regex matching now

Fair enough but for me, I prefer a simple and scripted init system.

Re: systemd and gentoo

Pavel Labushev — 2012-05-18T10:29:41

On Fri, 18 May 2012 08:56:03 +0100
Kevin Chadwick <ma1l1ists-/E1597aS9LT10XsdtD+oqA< at >public.gmane.org> wrote:


sysvinit:
- adding/removing/stopping a service requires editing inittab or ad-hoc
solutions
- no integrated logging
- no dependency tracking system

monit:
- depends on external systems like OpenRC => might fail to restart
a service due to possible bugs in its complicated init script
- separate configuration files => more work to write them and keep in
sync with OpenRC configuration
- does pid file inspection and periodic signalling instead of wait(2)
=> racy: might fail to restart a crashed service if its pid file
contains a pid of some running but unrelated process
- requires extra configuration not to restart a service when it was
temporarily shut down by administrator

supervise (daemontools) is like runit. There's nothing wrong with it,
yet it has some limitations that minit was designed to overcome:
http://www.fefe.de/minit/minit-linux-kongress2004.pdf

Re: hardened-sources-3.2.11 + i965 + x.org: possible regression

Hinnerk van Bruinehsen — 2012-05-18T08:11:06

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18.05.2012 09:18, Matthew Thode wrote:

For me X works fine with UDEREF enabled. I'm using xorg-server-1.12.1
and xf86-video-intel-2.19.0. (2 laptops, 1 core2 duo, 1 first
generation i5, if that has got something to do with it)

WKR
Hinnerk


PS: Issuing grep -i pax on my .config I get:

# PaX
CONFIG_PAX_KERNEXEC_PLUGIN=y
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_PAX=y
# PaX Control
# CONFIG_PAX_SOFTMODE is not set
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
# CONFIG_PAX_EMUTRAMP is not set
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set
# CONFIG_PAX_ELFRELOCS is not set
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="bts"
CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y
CONFIG_PAX_MEMORY_STACKL

Re: systemd and gentoo

Kevin Chadwick — 2012-05-18T07:56:03

On Fri, 18 May 2012 02:56:06 +0000
Pavel Labushev wrote:


What's wrong with init respawn or supervise and/or monit?

Re: systemd and gentoo

Kevin Chadwick — 2012-05-18T07:52:08

On Fri, 18 May 2012 03:01:00 +0200
Tóth Attila wrote:


Your too polite, you mean, Somebody should give some people a slap for
breaking unix philosophies and not understanding what Unix is already
capable of.

I've already disabled consolekit and udisks. They bring little to the
table and cause problems for administartion and configuration. I haven't
decided on systemd yet but it looks potentially troublesome to me.

Re: hardened-sources-3.2.11 + i965 + x.org: possible regression

Matthew Thode — 2012-05-18T07:18:17

must be why I never hit it (I enable kernexec but leave uderef disabled
for virt).

Re: systemd and gentoo

Alex Efros — 2012-05-18T04:51:47

Hi!

On Fri, May 18, 2012 at 02:56:06AM +0000, Pavel Labushev wrote:

Actually, if you decide to go this way, you probably find packages from my
overlay 'powerman' is good starting point:
- Use my sys-process/runit instead of ebuild in main portage.
  My version doesn't install boot scripts /etc/runit/{1,2,3}, because
  examples of these files installed by portage version of runit are trying
  to boot system using gentoo usual way, thus turning runit into mostly
  senseless drop-in replacement for /sbin/init.
- My package power-misc/runit-scripts provide /etc/runit/{1,2,3} boot
  scripts implemented in native for runit way. They are very small (about
  200 lines bash script used to completely boot and initialize system)
  and easy to update for your needs.
- My packages runit-service/service-* will provide you with scripts to run
  many daemons under runit supervision.

Together these packages provide complete replacement for gentoo default
boot scripts and services (in /etc/init.d/*). I'm using this for man

Re: systemd and gentoo

Pavel Labushev — 2012-05-18T02:56:06

On Fri, 18 May 2012 03:01:00 +0200
"Tóth Attila" <atoth-J1cgac+wqeJaB7pSnPOuKA< at >public.gmane.org> wrote:


My humble advise: try making your own custom scripts for runit, minit or
similar minimalistic supervisor together with sudo or su for PAM
support (setuid-root isn't required for root->unprivileged uid
changes). It's simple, fast, maintainable and could be documented
without much effort.