The officially official Devuan Forum!

You are not logged in.

#1 2017-05-13 00:53:55

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Grsecurity/Pax installation on Devuan GNU/Linux

This is a placeholder. I managed to do it, and I need the link before I go to sleep.
(
I'll be posting from Devuan, but my Mutt is only in Gentoo yet, and the link I need for this thread:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
https://lists.dyne.org/lurker/message/2 … 31.en.html [1]
where I need to send an email to, just next... --and then go to sleep, so tired, but so happy!--
)
---
[1] EDIT: Unfortunately, Devuan DNG Mailing List appears to (currently) scrub all attachments. Another mail archive to the rescue! Pls., for now, advanced users can find useful tips if they study esp. this attachment:
grsec-dev1-compile.sh.gz
which is part of this email:
unoffic-grsec 4.9.27 kernel compile, one last hurdle
(which is the same email as in Devuan DNG ML, just the attachments are available)
(of course I hope that condition will be fixed in Devuan DNG; I did write a report --or here-- about it)

Last edited by miroR (2017-05-14 05:42:22)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#2 2017-05-14 05:47:07

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

I successfully compiled grsecurity for my Gentoo, and also for my Devuan, from that git repo that you can read in that emal (on either location):
...grsec, unofficial, by minipli
https://github.com/minipli/linux-unoffi … cial_grsec

I have then used paxrat, which I haven't found in Devuan (could be my lack of understanding):

https://packages.debian.org/sid/paxrat

installed it:

# dpkg -i <the-package>

applied it, and now I browse and am posting this with Iceweasel.

$ uname -a
Linux localhost 4.9.27-unofficial+grsec170512-22 #1 SMP PREEMPT Fri May 12 22:33:08 UTC 2017 x86_64 GNU/Linux
$

Last edited by miroR (2017-05-14 05:48:14)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#3 2017-09-15 13:58:07

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Pls., find all in the script at:
https://github.com/miroR/grsec-dev1-compile
There is the config, with all modules just as the usual Devuan/Debian kernels at:
https://croatiafidelis.hr/gnu/deb/ (all there old, just the:
https://croatiafidelis.hr/gnu/deb/confi … l+grsec.gz
and
https://croatiafidelis.hr/gnu/deb/confi … +grsec.sig
are new)
but all is now much closer for even newbies.
Will try and post more about it, in the next post(s)...

Last edited by miroR (2017-09-15 14:06:29)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#4 2017-09-15 14:01:44

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Really good news [1].
E.g.:
A paravirt RAP violation got fixed as well:
https://twitter.com/_minipli/status/907226600244219904

And that's Devuan's own Parazyd contributing there smile

Yet more to say, but no more time. Learn (if you need to), and of course: enjoy!
---
[1] Well, the level of the geniuses spender and PaX Team was too high for even Linus the Mr. Linux guy... But Minipli, parazyd and friends seem to be doing well...
I have been using minipli's unofficial-grsec since around the time of creation of the repo, and I for one, can tell you it is good, it protected me well!!

Last edited by miroR (2017-09-15 14:05:27)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#5 2017-09-15 14:29:14

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

One important note for users new to grsecurity is kind of urgent...
You will get, by default, huge logs.
It's because of these:

# grep -E 'GRKERNSEC' /boot/config-4.9.50-unofficial+grsec170915-04  | grep -E 'EXECLOG|AUDIT_CH'
CONFIG_GRKERNSEC_EXECLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
CONFIG_GRKERNSEC_AUDIT_CHDIR=y

( well, not the chroot in all cases, but the other two, yes! because of those )

So, if you don't want to have to cope with all that huge info, then when you are offered by the script that you downloaded from https://github.com/miroR/grsec-dev1-compile to modify you .config[/config, i.e. when it reaches to make menuconfig, set those to:  =n, and you won't have the deluge.

However, those are great logging information. I can with certainty say that my Gentoo was attacked, because the logs say so (and you don't get such with anything but grsecurity):
https://croatiafidelis.hr/foss/cap/cap- … ange-bash/
https://lists.gt.net/gentoo/user/325985#325985

Regards!


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#6 2017-09-18 03:45:14

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

This explanation is missing (due to political, and even criminal --morally so-- reasons grsec is not in widespread use [1]):

mr@gdOv:~$ sudo -s
[sudo] password for root: 
root@gdOv:/home/mr# ls -l /proc/sys/kernel/grsecurity/^C
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/exec_logging ; echo 0 > /proc/sys/kernel/grsecurity/audit_chdir ; 
root@gdOv:/home/mr# echo 1 > /proc/sys/kernel/grsecurity/exec_logging ; echo 1 > /proc/sys/kernel/grsecurity/audit_chdir ; 
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; 
tpe               tpe_gid           tpe_restrict_all  
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe ; 
1
root@gdOv:/home/mr# cat /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
1
root@gdOv:/home/mr# echo 0 > /proc/sys/kernel/grsecurity/tpe ; echo 0 >  /proc/sys/kernel/grsecurity/tpe_restrict_all ; 
root@gdOv:/home/mr# 

The setting to disable exec_logging with "echo 0", and likewise the setting to disable of audit_chdir is if you compile with exec_logging and audit_chdir. Enable it again with the "echo 1 ..." line.

Currently, and I don't know why, the tpe  ([T]rusted [P]ath [E]xecution, pls. read in the kernel help when you issue "menu makeconfig" about it), just does not work right in Devuan/Debian/Ubuntu. E.g. I couldn't run any scripts from /usr/local/bin because of it. So, disabling it with issuing the two "echo 0 ..." lines.

---
[1] Pls. see my sig for that... BTW, my current sig links to:
https://forums.grsecurity.net/viewtopic … 699#p17127
https://lists.dyne.org/lurker/message/2 … 4b.en.html
in case that should change in the future.

Last edited by miroR (2017-09-18 03:47:56)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#7 2017-09-18 13:18:13

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

There's great evidence (in worrying circumstances, for me) of the goodness of grsec's exec_logging and audit_chdir features at my recent investigation at:
Strange Bash under grsecurity's exec logging
https://dev1galaxy.org/viewtopic.php?id=1598

Regards!

Last edited by miroR (2017-09-18 14:48:26)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#8 2017-09-24 05:31:11

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Those who are willing to risk somewhat, the new page with the freshly compiled packages at:

https://croatiafidelis.hr/gnu/deb/linux … 170923-22/

says it all openly.  Pls. read the big fat warning there.

IOW, at your own risk, you can try your luck and install my packages from above.

Regards!


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#9 2017-09-24 13:29:37

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

Cleaner script available now:
https://github.com/miroR/grsec-dev1-com … /tag/v0.15
(that's what I sign, the tags, but that's latest branch in master)

Or from:
https://github.com/miroR/grsec-dev1-compile/tags

Or, of course, once you clone grsec-dev1-compile repo, the old non-GUI way. Something to  this effect:

you@yr-machine:~$ git clone https://github.com/miroR/grsec-dev1-compile
Cloning into 'grsec-dev1-compile'...
remote: Counting objects: 14, done.
remote: Compressing objects: 100% (11/11), done.
remote: Total 14 (delta 3), reused 14 (delta 3), pack-reused 0
Unpacking objects: 100% (14/14), done.
you@yr-machine:~$ cd grsec-dev1-compile/
you@yr-machine:~/grsec-dev1-compile$ git tag --list
v0.01
v0.1
v0.15
you@yr-machine:~/grsec-dev1-compile$ git tag --verify v0.15
object 888fb7a5024139f14b024eb0a2cff6bd34054d2a
type commit
tag v0.15
tagger Miroslav Rovis <miro.rovis@croatiafidelis.hr> 1506259462 +0000

comments sorted
gpg: Signature made Sun 24 Sep 2017 13:24:37 UTC
gpg:                using RSA key FCF13245ED247DCE443855B7EA9884884FBAF0AE
gpg: Good signature from "Miroslav Rovis (consacrated to Heart of Jesus) <miro.rovis@croatiafidelis.hr>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FCF1 3245 ED24 7DCE 4438  55B7 EA98 8488 4FBA F0AE
you@yr-machine:~/grsec-dev1-compile$ 

I thought I'd explain this, for newbies that are still learning. Advanced users, thank you for your patience.

Last edited by miroR (2017-09-24 13:46:20)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#10 2017-09-29 15:38:06

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

If I don't fix the warnings by user downloading of the new packages, the warnings are here;
https://www.croatiafidelis.hr/gnu/deb/l … 170923-22/
( but don't use those old packages )
And the packages are here:

linux-deb-4.9.52-unofficial+grsec170929-07
https://www.croatiafidelis.hr/gnu/deb/l … 170929-07/

I think it's a good kernel... Barring some tests and some research/advice that I've been seeking as per the warnings page...


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#11 2017-11-15 17:10:52

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

There is new patch, and new packages available:

https://www.croatiafidelis.hr/gnu/deb/l … 171114-19/

I just explained it on Debian Forums:

http://forums.debian.net/viewtopic.php? … 53#p658753

( because there was a little discussion there, so they took precedence this time )

Regards!


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#12 2017-11-16 09:37:43

cynwulf
Member
Registered: 2017-10-09
Posts: 99

Re: Grsecurity/Pax installation on Devuan GNU/Linux

I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php

i.e. in the future you'll have to pay for it...

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.

And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...

Offline

#13 2017-11-16 12:35:21

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

cynwulf wrote:

I'm still not sure if grsec is actually worth the effort these days, especially in view of this: https://grsecurity.net/passing_the_baton.php

My views on it are in my signature. (important: the ripoff by Google, but read there spender's statement or roll back for more verbose view of mine

i.e. in the future you'll have to pay for it...

Not in the future, you already have to pay for it. But not the unofficial-grsecurity which is completely open, and which I talk about and post packages of, since the closure of free official grsecurity.

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at this stage.

And the attitudes of certain people, mean kernel security is never going to be anything more than a retroactive approach anyway: http://lkml.iu.edu/hypermail/linux/kern … 06228.html (nothing unusual there, it's just the usual dismissive disdain for "security people")

I also wonder what exactly KSPP are trying to achieve, it seems like a talking shop at the moment...

You do point to another... erhm...historical remark by Linus... Appreciated!

But no time for discussion here on my part, too many things to solve are on my hands instead.

The patches, I believe, are still good, the unofficial ones, but surely more testing would be needed by more people!

Last edited by miroR (2017-11-16 12:45:40)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

#14 2017-11-16 21:22:27

miroR
Member
From: Zagreb, Croatia
Registered: 2016-11-30
Posts: 136
Website

Re: Grsecurity/Pax installation on Devuan GNU/Linux

There's corsac's grsecurity packages (with the new grsecunoff patches, and all the necessary recommends in Ceres.

So updating to Ceres, one can install them, probably something like:

# apt-get install linux-image-4.9.0-4-grsec-amd64

Updating to Ceres is first I'll do, and then report about it.
The news I was told on Debian Forums in the llink I gave two or so posts above.

Regards!

Last edited by miroR (2017-11-16 21:23:43)


Devs/testers/users of FOSS, what might be ahead for GNU/Linux after we lost PaX Team and spender? spender wrote:
https://forums.grsecurity.net/viewtopic … 699#p17127
Google made the choice to engage in underhanded competition against us with our own code...
grsecurity ripoff by Google, w/ Linus approval https://lists.dyne.org/lurker/message/2 … 4b.en.html

Offline

Board footer