aboutsummaryrefslogtreecommitdiff
path: root/research/hardened.md
blob: f59a43ed7c87341725de0cc446b14086093475ab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
[[!meta title="Hardened OS"]]
[[!tag research hardened grsecurity security]]

grsecurity
----------

Basic install:

    sudo apt-get -t jessie-backports install linux-image-4.9.0-2-grsec-amd64 linux-image-grsec-amd64
    sudo apt-get install paxtest
    sudo usermod -aG grsec-tpe `whoami`

As root:

    echo "kernel.grsecurity.rwxmap_logging = 0" > /etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf 
    echo "kernel.grsecurity.grsec_lock = 1"     > /etc/sysctl.d/kernel.grsecurity.grsec_lock.conf

As regular user, after reboot:

    paxctl -cm /usr/bin/git-annex
    paxctl -cm /usr/bin/qemu-img
    paxctl -cm /usr/bin/qemu-system-x86_64

Further research
----------------

LXC unprivileged containers for GUI applications:

* [LXC 1.0: GUI in containers [9/10] | Stéphane Graber's website](https://stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/).
* [Configuring Unprivileged LXC containers in Debian Jessie](https://myles.sh/configuring-lxc-unprivileged-containers-in-debian-jessie/).
* [LXC - Debian Wiki](https://wiki.debian.org/LXC).

References
----------

* https://micahflee.com/2016/01/debian-grsecurity/
* https://nixaid.com/grsec-in-docker/
* https://hardenedlinux.github.io/
* https://packages.debian.org/stretch/bubblewrap
* https://packages.debian.org/stretch/runc
* https://github.com/projectatomic/bubblewrap
* https://github.com/opencontainers/runc
* https://github.com/thestinger/playpen
* https://github.com/omegaup/minijail