On ven., 2016-01-08 at 00:44 +, ban...@openmailbox.org wrote:
> I've been experimenting with the source package in unstable. There is
> still some security advantages of building the source package such as
> unique RANDSTRUCT values not known publicly:
> https://github.com/Whonix/grsecurity-
I've been experimenting with the source package in unstable. There is
still some security advantages of building the source package such as
unique RANDSTRUCT values not known publicly:
https://github.com/Whonix/grsecurity-installer/issues/1#issuecomment-169819722
Installing the build dependenc
On Tue, 05 Jan 2016 15:40:50 +0100 Yves-Alexis Perez wrote:
> On mar., 2016-01-05 at 15:33 +0100, HacKurx wrote:
> > There are 52 variables sysctl with grsecurity but 42 are used in
> > grsec.conf (linux-grsec-base-0.1).
> > To know the list :
> > cat /usr/src/linux-4.3.3/grsecurity/grsec_sysctl.c
On mar., 2016-01-05 at 15:33 +0100, HacKurx wrote:
> There are 52 variables sysctl with grsecurity but 42 are used in
> grsec.conf (linux-grsec-base-0.1).
> To know the list :
> cat /usr/src/linux-4.3.3/grsecurity/grsec_sysctl.c | grep "\.procname"
Please report bugs like these against linux-grsec
There are 52 variables sysctl with grsecurity but 42 are used in
grsec.conf (linux-grsec-base-0.1).
To know the list :
cat /usr/src/linux-4.3.3/grsecurity/grsec_sysctl.c | grep "\.procname"
kernel.grsecurity.disable_priv_io
kernel.grsecurity.linking_restrictions
kernel.grsecurity.enforce_symlinksi
Hi,
Add and use "paxctld" in Debian for configure PaX flags (equivalent to
paxd from arch linux):
https://grsecurity.net/download.php
And if you want inspiration for the making available of all:
https://projects.archlinux.org/svntogit/community.git/tree/trunk?h=packages/grsec-common
And one you
For those following along at home, I would suggest booting the grsec
enabled kernel once - then saving the output of `sudo lsmod` into a
file. Take every module you want (ie: all of them) and put the list
into /etc/initramfs-tools/modules - then you'll need to run
`dpkg-reconfigure linux-image-4.3.
On 21/12/2015 00:14, Jacob Appelbaum wrote:
> I was left with:
>
> [ 1802.373906] grsec: denied untrusted exec (due to not being in
> trusted group and file in non-root-owned directory) of
> /run/user/1000/orcexec.bCtW1V by
> /usr/bin/pulseaudio[alsa-source-ALC:3038] uid/euid:1000/1000
> gid/egid:
I'm also running this kernel with AppArmor and it seems to work without issue.
I followed the steps on https://wiki.debian.org/AppArmor/HowToUse
which sets "apparmor=1 security=apparmor" on the kernel command line
as documented:
sudo perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$
On 12/21/15, Mickaël Salaün wrote:
> On 21/12/2015 00:14, Jacob Appelbaum wrote:
>> I was left with:
>>
>> [ 1802.373906] grsec: denied untrusted exec (due to not being in
>> trusted group and file in non-root-owned directory) of
>> /run/user/1000/orcexec.bCtW1V by
>> /usr/bin/pulseaudio[alsa-sour
On dim., 2015-12-20 at 21:55 +, ban...@openmailbox.org wrote:
> I just wanted to mention Git tag signing. Its a very useful security
> feature we use for protecting source code builds in our project.
>
> https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
Ben Hutchings signs his src:l
On lun., 2015-12-21 at 05:51 +, ban...@openmailbox.org wrote:
> Is there other ways to deal with unwanted network stack modules like
> Appletalk besides going in and manually disabling them in config before
> compiling?
>
> Is disabling module loading enough?
Only you can say if it's enough
On dim., 2015-12-20 at 23:14 +, Jacob Appelbaum wrote:
> To make my Debian Jessie system work with pax, I had to set pax flags
> for these three binaries:
>
> paxctl -c -m /usr/bin/gnome-shell
> paxctl -c -m /usr/bin/gnome-session
> paxctl -c -m /usr/bin/pulseaudio
>
> If you don't want
On dim., 2015-12-20 at 22:37 +, Jacob Appelbaum wrote:
> ( One difference I've noticed is that I no longer have the little
> frame buffer penguins at boot time - I think on this computer, I
> should see a bunch of them. I assume this is expected behavior but
> wanted to note it anyway. )
I /ne
Is there other ways to deal with unwanted network stack modules like
Appletalk besides going in and manually disabling them in config before
compiling?
Is disabling module loading enough?
Please give some insight if its okay to discuss.
To make my Debian Jessie system work with pax, I had to set pax flags
for these three binaries:
paxctl -c -m /usr/bin/gnome-shell
paxctl -c -m /usr/bin/gnome-session
paxctl -c -m /usr/bin/pulseaudio
If you don't want to modify the binary, you can also set the
attributes in the file system:
I just wanted to mention Git tag signing. Its a very useful security
feature we use for protecting source code builds in our project.
https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work
It may make sense for us to have a package of paxrat with common
configurations for Debian users:
https://github.com/subgraph/paxrat
This would ensure that everyone can use this kernel and have xorg work
as expected, for example.
Otherwise, I think we will see a lot of people who just run:
On 2015-12-20 09:51, Yves-Alexis Perez wrote:
On dim., 2015-12-20 at 00:32 +, ban...@openmailbox.org wrote:
Hi. After testing the kernel X doesn't boot because restrict mprotect
is
enabled.
Hi,
it's most likely because you're using nvidia/nouveau or amd/radeon
graphic
card, and the us
On dim., 2015-12-20 at 19:28 +, ban...@openmailbox.org wrote:
> Agreed but there are many major software packages especially on the
> desktop that need exceptions to work for example Iceweasel and by
> extension Tor Browser.
Sure. I'm just not interested in maintaining that list myself.
>
>
On dim., 2015-12-20 at 00:32 +, ban...@openmailbox.org wrote:
> Hi. After testing the kernel X doesn't boot because restrict mprotect is
> enabled.
Hi,
it's most likely because you're using nvidia/nouveau or amd/radeon graphic
card, and the userland driver uses LLVMpipe which in turns uses
Hi. After testing the kernel X doesn't boot because restrict mprotect is
enabled. Are there plans to integrate a PaX exception list so mprotect
can be enabled system wide while common software can still work?
On Sat, 2015-12-19 at 17:03 +, Jacob Appelbaum wrote:
> On 12/19/15, Jacob Appelbaum wrote:
[...]
> > To boot Debian Jessie (with some testing pacakes too) to X - I had to set:
> >
> > kernel.grsecurity.disable_priv_io=0
> > kernel.pax.softmode=1
> > kernel.grsecirity.grsec_lock=0
> >
>
> W
On 12/19/15, Jacob Appelbaum wrote:
> On 12/19/15, Yves-Alexis Perez wrote:
>> On jeu., 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
>>> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
>>> > This is really a work in progress and this mail a request for comment.
>>> > Especiall
On 12/19/15, Yves-Alexis Perez wrote:
> On jeu., 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
>> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
>> > This is really a work in progress and this mail a request for comment.
>> > Especially missing is:
>>
>> So, did any of you have
On jeu., 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
> > This is really a work in progress and this mail a request for comment.
> > Especially missing is:
>
> So, did any of you have the chance to test it? I'm currently running
On sam., 2015-11-07 at 14:54 +, Ben Hutchings wrote:
> 1. linux-grsec-{source,support} are included in debian/control but not
> built by debian/rules.real. I think these should be built; the latter
> will be needed to build metapackages as in linux-latest.
>
>
> 3. The changes to gencontrol.
On Tue, 2015-11-10 at 10:42 +0100, Yves-Alexis Perez wrote:
> On sam., 2015-11-07 at 14:54 +, Ben Hutchings wrote:
> > I've given this a quick review and found a few issues:
>
> Thanks!
> >
> > 1. linux-grsec-{source,support} are included in debian/control but not
> > built by debian/rules.re
On sam., 2015-11-07 at 14:54 +, Ben Hutchings wrote:
> I've given this a quick review and found a few issues:
Thanks!
>
> 1. linux-grsec-{source,support} are included in debian/control but not
> built by debian/rules.real. I think these should be built; the latter
> will be needed to build m
On Thu, 2015-11-05 at 22:08 +0100, Yves-Alexis Perez wrote:
> On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
> > This is really a work in progress and this mail a request for comment.
> > Especially missing is:
>
> So, did any of you have the chance to test it? I'm currently running
On sam., 2015-10-10 at 21:55 +0200, Yves-Alexis Perez wrote:
> This is really a work in progress and this mail a request for comment.
> Especially missing is:
So, did any of you have the chance to test it? I'm currently running the 4.2.5
kernel with grsecurity-3.1-4.2.5-201511021814 (just uploaded
31 matches
Mail list logo
