Linux Kernel 4.6 - New Self Protection Features

Discussion in 'all things UNIX' started by AutoCascade, May 14, 2016.

  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    https://plus.google.com/u/0/ KeesCook/posts/adtf8msMKNL

    https://www.linux.com/news/greg-kh-update-linux-kernel-46-next-week-new-security-features
     
  2. kinder2

    kinder2 Registered Member

    Joined:
    Aug 17, 2015
    Posts:
    51
    How to install it easy?
     
  3. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    You just have to use a distro that moves to the new kernels and you'll have it. That just rules out LTS distros - I believe - someone correct me on that if I'm wrong.

    From the sounds of the linux.com write up a lot of new resources are now going into kernel bug fixes and new security features. It talks about Google, Intel & Redhat funding some of their employees to work on kernel security and adding grsec features to the kernel.

    Keynote by Greg Kroah-Hartman at CoreOS Fest, Berlin. Really worth watching. At 14:30 he starts talking about kernel security.

    https://www.youtube.com/watch?v=GGBlBIFAKmA
     
    Last edited: May 15, 2016
  4. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Hopefully this will make AppArmor and SELinux obsolete this year.
     
  5. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,517
    I remember in Ubuntu 14.04, with each point release, the kernel was also updated. e.g., in the latest 14.04.4 release, the kernel version is 4.2 , while in the original 14.04.0, kernel version was 3.13. So I think most likely the next 16.04 point release, 16.04.1 should have kernel 4.6. Hopefully.
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    Thanks I wasn't really sure how that worked.
     
  7. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Wonder what Debian will do with this??
     
  8. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    If you watch the youtube video Greg Kroah-Hartman compliments Debian several times about how well they are at securing Debian. The sound isn't the greatest because someone recorded it with their phone - lots of echo.
     
  9. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    494
    Location:
    Earth .... occasionally
    Have any Wilders members tried updating to the 4.6 kernel yet ?

    If so , I'd be interested to read about the results ..... and which distro (s).
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    626
    Location:
    United States
    The influx of new kernel bug researchers paid by Google, Redhat and Intel seems to make this statement 'sour grapes' especially in lieu of his complete bug out a couple of weeks ago on Twitter because someone had found a bug in grsec code.

    The kernel self protection project is less than a year old. They fix bugs and add security features. I'm not sure what is wrong with the effort except as part of adding new security features they take code from Grsec because that's open source - or is it?
     
    Last edited: May 17, 2016
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
  13. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    731
    I don't think so. Remember that Grsecurity itself has RBAC which provides mandatory access control and is, hence, an alternative to AppArmor and SELinux. Grsecurity alone cannot confine applications by limiting their access to specific resources (e.g. files). This is what a MAC system does, and that's why I think that Grsecurity and a MAC system compliment each other.

    If your remark was meant to say that RBAC is more powerful/user-friendly/whatever compared to, say, AppArmor - well, that's possible, I've never tried it. But I think that Grsecurity won't be used either in the future by the majority of users because of compatibility problems with, e.g., VirtualBox, and its non-trivial configuration as somebody recently clarified :D. That's why I think that AppArmor and SELinux won't be obsolete at all. I cannot imagine that Red Hat will throw SELinux overboard in the foreseeable future ;) Besides, it seems from above posts that - despite Brad's rant - more and more Grsecurity features are being slowly added to the Linux kernel from the work of the Kernel Self Protection Project so I really question the need for Grsecurity for the average user.
     
  14. linuxforall

    linuxforall Registered Member

    Joined:
    Feb 6, 2010
    Posts:
    2,136
    Ubuntu kernel patches upstream stuff if they are relevant and point release also use new kernel so those using LTS Ubuntu they will have access to all the features.
     
  15. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    200
    RBAC is pretty awesome, but it has its problems. Its especially got problems on a rolling release distro. RBAC has no mechanism to create a policy for individual applications- only to create a policy for everything. This is fine on fixed distros where security updates are the only upgrades; no infrastructure changes nor are any new directory access points needed. On a rolling release distro (like Arch, Gentoo, or Debian Testing/Sid), new package updates bring new problems often- its only upon consulting logs you realize its RBAC blocking what the newer variant needs access to. Eventually it becomes a habit that as soon as you upgrade, you open journalctl and start using the application while also preparing to open the policy file to make changes.

    With AppArmor, this problem is significantly reduced. The majority of the system is unrestricted, while highly at risk applications (like Firefox, Deluge, etc) are being policed by AppArmor. I have found that these applications specifically dont seem to change underlying directory access locations often, so AppArmor provides protection without being a nuisance. Its also much easier to setup. RBAC would be great if only Spender would include an override switch that allows users the option to disable global enforcing and only enforce the executables listed in the policy file. But he wont do that for ideological reasons. For Apparmor if changes should cause breakage, fixing it is trivial. You can either edit the policy file directly, or you can use aa-logprof combined with audit to find the issue and edit the policy file.

    On Gentoo and Debian, using AppArmor is trivial. Gentoo you simply setup your kernel config to include it and install the tools. On Debian support is built in, so you need only install the tools. On Arch, you need to recompile the kernel. This sounds bad, but its significantly easier than compiling the whole system like Gentoo, and Arch's ABS/makepkg makes the actual effort involved trivial. I grab linux-grsec from ABS, edit the PKGBUILD to execute make menuconfig (which is already in the PKGBUILD- you just need to uncomment that line), then run makepkg -s. When menuconfig comes up, --> Security --> enable Apparmor which also enables audit, then save. Once compiled, you pacman -U in the compiled package. Only needs to be done once every 2-4 weeks.

    This new change to the kernel is minimal. Its sort of like if you had a 20 foot hole in the Hoover Dam then decided to mount a 1 foot block on the side of the hole- sure it limits water more than the 20 foot hole alone, but it still is a 19 foot hole that leaks. Grsecurity attempts and gets close to plugging the hole, AND it provides a reservoir to prevent the water from doing damage (RBAC). AppArmor and SElinux can also serve as that reservoir. MAC independent of the kernel is here to stay...
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    731
    Perhaps similar considerations were the reason why Subgraph OS comes with AppArmor rather than RBAC although a grsecurity kernel is used.

    I know. I've done it for quite a while but no longer as I think that the security offered by Firejail is sufficient and compiling my own AppArmor-enabled kernel is not really worth the hassle, IMHO.
     
  17. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    200
    Possible. RBAC is great, but there is one aspect of it that idealists dont realize (I think)- security that is too much of a pain causes users to rarely use it (as you say below in regards to building a kernel for example). I think RBAC often falls into this category- it certainly has for me.

    It may well not be. Im not sure it is for me, but recompiling a kernel every few weeks doesnt really bother me so I do it anyway. My policy files are setup, I only enforce for 2 applications (Firefox and Deluge), and it doesnt really get in my way.

    I use Firejail too, and youre right- its prolly all you need especially with the chroot enhancements afforded by the grsecurity patchset. Maybe ill get tired of compiling eventually :p

    Ive gone to an extreme of security on my system more or less as a proof of concept and to see whats a pain and whats not. My system now is almost not ANY more demanding to maintain than a plain jane Arch install, but I have tons more security. Ultimately I think your point above and mine here is the same- everyone needs to find that line where they feel a need to be security-wise. We could be talking about /proc and /sys restrictions, TPE, different partitions for different root directories limiting permissions where useful, etc etc etc.

    I think most of us here want that solid desktop setup that doesnt require the tediousness of working at Ft. Knox :D
     
  18. accessgranted

    accessgranted Registered Member

    Joined:
    Mar 10, 2010
    Posts:
    184
    4.6.2-1-ARCH
     
  19. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,985
    Location:
    Canada
    Updated today to 4.6.3-1-ARCH
     
  20. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,989
    Location:
    Brasil
    Does anyone with an AMD GCN 1.0 card that uses Linux 4.6 or 4.7? Can you tell me if AMDGPU is already enabled by default on those cards?
     
Loading...