[grsec] grsecurity & lguest

Philip Sanderson philip.k.sanderson at gmail.com
Mon Nov 1 09:01:42 EDT 2010


Just thought I'd share some notes with pax & lguest (so if anyone else is
looking for information, they can hopefully stumble across it).

short version:
PAGEEXEC = for hosts with PAE = works.
SEGMEXEC = for guests = works. (PAGEEXEC = no work).
UDEREF = works with no slow down.
KERNEXEC = does not work due to limitations. maybe possible to make work for
some extra protection
Documentation/lguest/lguest.c = needs a minor tweak to avoid paxctl -m.

tl;dr version:

First off, http://swtch.com/lguest/ for information about it. My config file
is at http://www.pastebin.ca/1978595. Host is a Atom N270, no hw
virtualisation. kernel config is pretty full on; it's mostly just a ubuntu
.config file with some things tweaked, with no trimming down. atom
processors seem to be popular with green hosting / netbook laptops.

Mostly good news, lguest works using PAGEEXEC for the host, and SEGMEXEC for
the guests (lguest does not support NX bit, as documented in
arch/x86/lguest/boot.c, so it falls back.) UDEREF works from what I can
tell.

Commenting out the line that disables NX bit and recompiling makes it use
page exec, but paxtest exec tests fail. It would be ideal if lguest
supported NX bit. I have not looked at why this is the case, or how easy it
would be to implement it.

KERNEXEC seems like it would be unsupported; as lguest wants to map
executable code at 0xff[ce]00000 (drivers/lguest/core.c). I know for certain
it does not work if you enable kernel modules :-) It would be nice if it was
supported for the host. From looking at free_initmem(), it won't be
supported if it is being paravirt'd.

A random thought is that by tweaking KERNEXEC to prevent userland access
(yet allow full kernel) and relying on PAE+NX (to protect kernel pages) will
give you at least something on the host kernel while allowing lguest to
work. that said, it could be argued that having that mapped in memory at a
fixed location is a bad idea.

lguest userland (Documentation/lguest/lguest.c) requires some work to get it
suitable. sed -ie 's/|PROT_EXEC//g' and it will work fine on the host.
Additionally, adding a chroot/chdir/setgroups/setresgid/setresuid just
before run_guest() seems to work fine (of course, it will break rebooting
which execv's itself ... unless it is statically compiled, and file
permissions / /dev/net/tun is fine).

Another interesting lguest.c thing is that it looks like it could work well
with seccomp -- once you tweak seccomp to allow pread/pwrite/readv/writev --
though i suspect the only person interested in that would be me. ;)

and that's about it :-) all in all lguest seems pretty decent and friendly
towards pax/grsecurity :)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://grsecurity.net/pipermail/grsecurity/attachments/20101102/3e31309d/attachment.htm>


More information about the grsecurity mailing list