Bug 152123

Summary: SuSE 10.0 (and not only) supply kernels with no support for grsecurity nor even PaX & w/ this AppArmor is enabled for only some apps. :/
Product: [openSUSE] openSUSE 11.0 Reporter: Olli Artemjev <grey-olli>
Component: AppArmorAssignee: Security Team bot <security-team>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P3 - Medium CC: dazzle.digital, grey-olli, meissner, suse-beta
Version: Alpha 2Keywords: Common_Criteria, documentation, security, Usability
Target Milestone: ---   
Hardware: i686   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Olli Artemjev 2006-02-19 23:12:16 UTC 
Okay, had some playings w/ AppArmor.. though it doesn't solve all problems and is enough pain to enable it on everything (or at least all crytical) things (as also enough pain to change working model for some daemons (i.e. postfix))..
BTW: is there a good AppArmor admin quick trick FAQ?

So, anyway, I gotta to get back to my best - the grsecurity enabled kernel w/ custom security settings, as I usually do at home and at work. =) 

Okay, ran yast.. Got _no_ results from finding both grsecurity and PaX with yast->software management. :/ 

No even howto/warnings/listing of things that . Got nothing, but one page w/ annotation of SESUSE searching from open suse web.. Where can I get SuSE (not kernel org!) kernel w/ grsecurity or at least PaX (it's part of grsec) 
applied? :?

The grsecurity (or at least _parts_ of its functionality) is A MUST for any system concerned on security.

Well, there're lots of questions while talking to the kernel patches (at least for me - not a professional coder). I didn't even tried to play w/ that stuff yet, since, I guess, this may interfere w/ AppArmor, but since I'm not a professional coder I can't just get into the source. Well,
step by step:

1. Is grsec compatible w/ current SuSE kernels? If not - in wich parts?

2. Is PaX compatible w/ current SuSE kernels? If not - in wich parts?

3. If I get a current kernel from the kernel.org - what will be broken in my system right after I run it?

4. Say I'll get the kernel source suse rpm & get all patches applied to the kernel from there and will try to apply them on top of grsec. Would I then get rejects? Is it the right way? Guess no. That magic should be cleared w/ some FAQ for developers and advanced admins w/ declaring of correlations between a list of patches applied to the kernel within a generic SuSE system and all popular
security enhancement systems. At least the following things should be definitely overviewed by such a FAQ: RSBAC(and clones), PaX, grsecurity, AppArmor .

Yes, I can download and try the kernel.org plain current kernel, patch w/ grsec and.. stay w/ missing of some cute things, I guess..

Yes I will do that w/ SuSE system installed on x86 server. Hope most of server
required things would not broke (any comments?). Though I prefer to not doing that on my home SuSE workstation.

Well, setting the following flags:

1. Common_Criteria: because the lesser exploits work on my system the better it is. Please don't tell me that grsec is the wrong way. It _is_ the right way, or at least partially it is. :/

2. documentation: This really needs at least a quick FAQ (see questions above).

3. security: obviouse.

4. Usability: The system w/o grsecurity should not (for me - cannot) be used in aggressive network environments.

Related readings: 

http://old.lwn.net/1998/0806/a/linus-noexec.html 

and after that:

========== grsec ===========
CONFIG_GRKERNSEC_PAX_RANDMMAP:
   By saying Y here the kernel will use a randomized base address for
   mmap() requests that do not specify one themselves.  As a result
   all dynamically loaded libraries will appear at random addresses
   and therefore be harder to exploit by a technique where an attacker
   attempts to execute library code for his purposes (e.g. spawn a
   shell from an exploited program that is running at an elevated
   privilege level).

   Furthermore, if a program is relinked as a dynamic ELF file, its
   base address will be randomized as well, completing the full
   randomization of the address space layout.  Attacking such programs
   becomes a guess game.  You can find an example of doing this at
   <http://pax.grsecurity.net/et_dyn.zip> and practical samples at
   <http://www.grsecurity.net/grsec-gcc-specs.tar.gz> . 
========== grsec ===========

That's why I say, that, at least a part of grsecurity stuff is a must.

As you see from above (not a secret for any developer though), that new 
hardware with non executable pages would solve only part of a problem (I'm about CPUs w/ NX flag(AFAIR it's called NX %))).

As about complains to the 'partial solvage' I can say that at least these patches try to solve the problem with a class of exploits, and give a need to adopt hardly most others. At least with the grsecurity enabled kernel I feel relatively safe from a kiddie w/ "n3w 3l33t spl017" just ripped from full disclosure mailing list or so. Non working standard exploits - that is a 
really good improvement for me (Assuming that I'm not a vary interesting tagret for pen test professionals. ;-)) ) and many other people will agree w/ me I guess.

http://en.opensuse.org/SESUSE - the only one page found on opensuse. Though that says that developers know about the topic. That's good. But where's the patched kernel w/ other SuSE patches applied to it???

The search on suse.com (redirected as usually) does nothing interesting - opened all links.

For those who donno anything (are there any? guess noone, but anyway):
http://pax.grsecurity.net/
http://grsecurity.net/

Heh.. this post was on todo list for at least a half month - had not enough time..
Comment 1 Olli Artemjev 2006-02-19 23:18:48 UTC 
AppArmor is nice thing anyway. I like it. Is it possible to 've it w/ parts or all of PaX/grsec stuff? :?
Comment 2 Karsten Keil 2006-02-20 11:21:05 UTC 
It is more a security/AppArmor issue.
Comment 3 Marcus Meissner 2006-02-22 21:06:17 UTC 
first, we do not include PAX / grsecurity for various reasons:

- its not in the mainline kernel. maintaining such intrusive patches of this kind is very expensive and we decide not to
- address space randomization is merged from the mainline kernel to some
  degree and will continued to be merged

  specifically MMAP randomization is already part of 10.1 on some platforms

- we are of course planning to enhance kernel security in the future, but
  step by step.
Comment 4 Marcus Meissner 2006-02-22 21:08:39 UTC 
as for more apparmor profiles. we ship a lot of profiles, but only
some of them are enabled.

the reason for this is that we want to make absolutely sure that our profiles cover _all_ use scenarios. so this is mostly a coverage problem.

Additional profiles are in /etc/apparmor/extra/profiles/  , you can move
them to /etc/apparmor.d/ or so. 



So in general ... security work is ongoing and we are aware of those developments.
Comment 5 Tony Jones 2006-02-22 22:18:23 UTC 
Olli.  

1. In future please file one bug per problem.

2. As far as AppArmor profiles are concerned, we welcome additions to the profiles that are in the extra directory. AppArmor tools (logprof/genprof) can be used to customise these profiles and you are welcome to submit updates/additions.  One mechanism for doing this is by joining the AppArmor mailing lists (http://forge.novell.com/modules/xfmod/project/?apparmor).  You will also find documentation there.  Most of these docs should also ship in the SL/SLES documentation.     

3. If you submit profile changes we would appreciate information on the use case that the change address.

4. If you have specific complaints you may of course open a bug here but please make it specific and targetted.
Comment 6 Olli Artemjev 2006-02-25 02:56:58 UTC 
Okay, thanks for info on additional profiles and dox - 'll study that.

But there're still some questions:

1. Are there anyone who maintains alternate (not supported officially) version
of kernel w/ all SuSE patches and with additionally the grsecurity or PaX applied? Are there any links for download?

2. If there's no such person - are there any interest in making that work together? I mean that I definitely need a grsecurity enabled kernel on my server at work and at my workstation at home. Thus I'll try to apply patches and look
for possible rejects and try to fix that anyhow. Though I'd be glad to have a place to discuss this work and tests required - I'm not a professional programmer. If  there's no adequate for that mailing list I may create a mailing list myself on some of my servers. Feel free to contact me at [ email olli <At> digger . org . ru ] about that. Anyway since there's an SESUSE page - there're some people already did some work in this way.
I've added a folk from SESUSE page to CC list.

3. What's about interferring AppArmor and grsecurity/PaX - is it OK to discuss that in some AppArmor mailing list? BTW: are there an NNTP interface?  (I've ipaq 1940 w/ a nice newsreader (didn't see a nice mail client though) - NNTP 'll allow me (and others) to post comments being on road.
Comment 7 Olli Artemjev 2006-02-25 13:42:28 UTC 
And are there any cumulative SuSE kernel patches dox/FAQs (see question 4. in 'Description') to get started w/?
Comment 8 Olli Artemjev 2006-03-01 10:28:09 UTC 
Well.. any comments on above questions? 

I'm about to try to apply grsec/pax stuff w/o blocking ability to use apparmor.

If I'd get success are anyone interested in that result? I'm about to use 
resulting thing on my workstation & one of our servers, thus that will be tested well..
Comment 9 Marcus Meissner 2006-03-01 11:57:23 UTC 
Regardiung comment #c6
1. Not at this time to our knowledge.

2. I don't know if there is interest for it ... You can ask on the suse-security mailinglist, or the opensuse@opensuse.org mailinglists for instancen.
   suse-security is the likely list for suse related security discussions
   here.

3. AppArmor should not interfere with grsecurity/PaX, or does the latter use
   its own LSM?

   This problem that 2 LSMs cannot be loaded at the same time is a generic
   problem and should probably be taken up to the mainline kernel folks.

I don't know about a public NNTP interface.

regarding #c7
README.SUSE as contained in the kernel-source packages explain how to add
patches. (You basically can just add your patch to the patches.fixes tarball and to series.conf to get it applied.)

#c8 again depends on if grsecurity uses an LSM (I dont know).
Comment 10 Marcus Meissner 2006-03-29 14:59:03 UTC 
enhancement request
Comment 11 Ludwig Nussel 2008-03-06 16:52:27 UTC 
Nothing left for use to do AFAICS.
The buildservice can nowadays be used to publish custom kernels.