blob: f59a43ed7c87341725de0cc446b14086093475ab (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
[[!meta title="Hardened OS"]]
[[!tag research hardened grsecurity security]]
grsecurity
----------
Basic install:
sudo apt-get -t jessie-backports install linux-image-4.9.0-2-grsec-amd64 linux-image-grsec-amd64
sudo apt-get install paxtest
sudo usermod -aG grsec-tpe `whoami`
As root:
echo "kernel.grsecurity.rwxmap_logging = 0" > /etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf
echo "kernel.grsecurity.grsec_lock = 1" > /etc/sysctl.d/kernel.grsecurity.grsec_lock.conf
As regular user, after reboot:
paxctl -cm /usr/bin/git-annex
paxctl -cm /usr/bin/qemu-img
paxctl -cm /usr/bin/qemu-system-x86_64
Further research
----------------
LXC unprivileged containers for GUI applications:
* [LXC 1.0: GUI in containers [9/10] | Stéphane Graber's website](https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/).
* [Configuring Unprivileged LXC containers in Debian Jessie](https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/).
* [LXC - Debian Wiki](https://wiki.debian.org/LXC).
References
----------
* https://micahflee.com/2016/01/debian-grsecurity/
* https://nixaid.com/grsec-in-docker/
* https://hardenedlinux.github.io/
* https://packages.debian.org/stretch/bubblewrap
* https://packages.debian.org/stretch/runc
* https://github.com/projectatomic/bubblewrap
* https://github.com/opencontainers/runc
* https://github.com/thestinger/playpen
* https://github.com/omegaup/minijail
|