Debian Bug report logs - #814787
linux-grsec: GRKERNSEC_RANDSTRUCT shouldn't be enabled

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Florent Daigniere <nextgens@freenetproject.org>

To: submit <submit@bugs.debian.org>

Subject: linux-grsec: GRKERNSEC_RANDSTRUCT shouldn't be enabled

Date: Mon, 15 Feb 2016 13:11:52 +0100

Source: linux-grsec
Severity: important

GRKERNSEC_RANDSTRUCT shouldn't be enabled on binary distro packages.

1) It's compile-time randomization, making it useless security wise
 (the attacker can fetch the binary from a mirror too!).

2) It prevents users from rebuilding kernel modules as the
 source packaged is distributed "cleaned".


On my systems, it prevents DKMS from working altogether.

# modprobe vboxdrv
[ 3841.583856] : version magic '4.3.0-1-grsec-amd64 SMP mod_unload
modversions KERNEXEC_BTS UDEREF REFCOUNT GRSEC ' should be '4.3.0-1-
grsec-amd64 SMP mod_unload modversions KERNEXEC_BTS UDEREF REFCOUNT
CONSTIFY_PLUGIN STACKLEAK_PLUGIN GRSEC
RANDSTRUCT_PLUGIN_643b63e2ae54ebcf23cb3cb1ea94ff2584bab4387b91fadf06a1b
7fd2f2ad003'

Please disable GRKERNSEC_RANDSTRUCT.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.3.0-1-grsec-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Message #10 received at 814787@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Florent Daigniere <nextgens@freenetproject.org>, 814787@bugs.debian.org

Subject: Re: Bug#814787: linux-grsec: GRKERNSEC_RANDSTRUCT shouldn't be enabled

Date: Mon, 15 Feb 2016 13:25:48 +0100

[Message part 1 (text/plain, inline)]

On lun., 2016-02-15 at 13:11 +0100, Florent Daigniere wrote:
> 1) It's compile-time randomization, making it useless security wise
>  (the attacker can fetch the binary from a mirror too!).

Sure, but having it enabled means it's easy for people to just rebuild the
package and have a randomized kernel. So if it doesn't break things, I prefer
having it enabled.
> 
> 2) It prevents users from rebuilding kernel modules as the
>  source packaged is distributed "cleaned".

I fail to parse this. Did you try DKMS modules with RANDKSTRUCT=n and did it
work? Because I sure didn't do anything to support external modules, so I'd be
surprised if that worked, RANDKSTRUCT or not.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 814787@bugs.debian.org (full text, mbox, reply):

From: Florent Daigniere <nextgens@freenetproject.org>

To: Yves-Alexis Perez <corsac@debian.org>, 814787@bugs.debian.org

Subject: Re: Bug#814787: linux-grsec: GRKERNSEC_RANDSTRUCT shouldn't be enabled

Date: Mon, 15 Feb 2016 13:56:54 +0100

[Message part 1 (text/plain, inline)]

On Mon, 2016-02-15 at 13:25 +0100, Yves-Alexis Perez wrote:
> > 
> > 2) It prevents users from rebuilding kernel modules as the
> >  source packaged is distributed "cleaned".
> 
> I fail to parse this. Did you try DKMS modules with RANDKSTRUCT=n and
> did it work?

It won't work as long as the packaged binary (my running kernel) has it
enabled. I'd need to rebuild both the package and the module with it
disabled to try it out... and I haven't tried it yet.

>  Because I sure didn't do anything to support external modules, so
> I'd be surprised if that worked, RANDKSTRUCT or not.

You're right; I should focus on documenting what doesn't work rather
than guessing. I should have filled in two bugs:

1) the binary package shouldn't have it enabled because it's useless
security wise, does incur runtime cost and obviously breaks stuff (see
2) (https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_Pa
X_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures
).

2) with the binary package, DKMS-built modules (but I suspect that it
stands true for all modules) won't insert into the running kernel. This
needs fixing, one way or another.

Do you want me to do the bug-filling/renaming or can you do it?

Florent

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 814787@bugs.debian.org (full text, mbox, reply):

From: Yves-Alexis Perez <corsac@debian.org>

To: Florent Daigniere <nextgens@freenetproject.org>, 814787@bugs.debian.org

Subject: Re: Bug#814787: linux-grsec: GRKERNSEC_RANDSTRUCT shouldn't be enabled

Date: Mon, 15 Feb 2016 14:11:31 +0100

[Message part 1 (text/plain, inline)]

On lun., 2016-02-15 at 13:56 +0100, Florent Daigniere wrote:
> > I fail to parse this. Did you try DKMS modules with RANDKSTRUCT=n and
> > did it work?
> 
> It won't work as long as the packaged binary (my running kernel) has it
> enabled. I'd need to rebuild both the package and the module with it
> disabled to try it out... and I haven't tried it yet.

That's what I was asking. Please try and report back.
> 
> >  Because I sure didn't do anything to support external modules, so
> > I'd be surprised if that worked, RANDKSTRUCT or not.
> 
> You're right; I should focus on documenting what doesn't work rather
> than guessing. I should have filled in two bugs:
> 
> 1) the binary package shouldn't have it enabled because it's useless
> security wise, does incur runtime cost and obviously breaks stuff (see
> 2) (https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_Pa
> X_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures
> ).

I disagree here see my previous mail.
> 
> 2) with the binary package, DKMS-built modules (but I suspect that it
> stands true for all modules) won't insert into the running kernel. This
> needs fixing, one way or another.

That's not different from the previous point I think.
> 
> Do you want me to do the bug-filling/renaming or can you do it?

I don't know what you mean, so I won't do it. But I case I wasn't clear
either:

- randkstruct is enabled on purpose
- external modules are currently not supported (mainly because I don't use
them so I didn't investigate); this is not directly related to randkstruct,
although it's definitely part of the issue.

If you're interested in having external modules supported, then please provide
patches against the current git, and document what you find.

Regards,
-- 
Yves-Alexis

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 814787-done@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 810506-done@bugs.debian.org,814787-done@bugs.debian.org,816309-done@bugs.debian.org,820464-done@bugs.debian.org,849056-done@bugs.debian.org,863060-done@bugs.debian.org,888702-done@bugs.debian.org,892400-done@bugs.debian.org,

Cc: linux-grsec@packages.debian.org

Subject: Bug#895433: Removed package(s) from unstable

Date: Sun, 15 Apr 2018 15:47:34 +0000

Version: 4.9.65-2+grsecunoff1+rm

Dear submitter,

as the package linux-grsec has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/895433

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.