Wednesday, May 14, 2014

Simple Grsecurity RBAC policy with kernel 3.14.1 on Debian 7.4

Speaking of kernel hardening, I personally like Apparmor and sick of SELinux( you know why). pi3's paper on Phrack Issue 67 was the 1st place I've met Grsecurity/Pax. I never forget that 30-sec would help the people to build the defense in depth;-) Then I went to read some Phrack papers from old good hacking days that I missed. Then I know they are the original authors of ASLR...and much more. No doubt that Grsecurity/Pax is one of the most respected old school communities......Note: Grsecurity/Pax don't use LSM since LSM breaks the principle of build-security-in, which should treat the security as whole. I think it's time to explore....

Download kernel:
https://www.kernel.org/pub/linux/kernel/v3.x/linux-3.14.1.tar.xz

Download grsecurity patch:
https://www.grsecurity.net/test/grsecurity-3.0-3.14.3-201405121814.patch

Patch the kernel with grsecurity:
xz -d linux-3.14.1.tar.xz
tar xvf linux-3.14.1.tar
cd linux-3.14.1/
patch -p1 < ../grsecurity-3.0-3.14.3-201405121814.patch

You can use my kernel config:
https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/debian-7.4-linux-3.14.1-grsec.config

Or make your own config via "make menuconfig". Then compile the kernel:
make -j3 deb-pkg

It will help you build deb packages. All you need to do is install them:
dpkg -i ../*.deb

Now, the kernel part is done. Download gradm( RBAC administrator utility):
https://www.grsecurity.net/stable/gradm-3.0-201401291757.tar.gz

tar zxvf gradm-3.0-201401291757.tar.gz
cd gradm/
make && make install

Reboot the machine:
shutdown -r now

Now, you need to set a bunch of annoying passwords:
root@d6-test:/etc/grsec# gradm -P
Setting up grsecurity RBAC password
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@d6-test:/etc/grsec#
root@d6-test:/etc/grsec# gradm -P admin
Setting up password for role admin
Password:
Re-enter Password:
Password written to /etc/grsec/pw.
root@d6-test:/etc/grsec#
root@d6-test:/etc/grsec# gradm -P shutdown
Setting up password for role shutdown
Password:
Re-enter Password:
Password written to /etc/grsec/pw.

Add this:
https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/grsec_conf.a.out

into the tail of /etc/grsec/policy

What I did in the above policy was I created role shawn as a user, with some default polices, like /bin is executable only, etc. Then I set a binary /home/shawn/grsec_test/a.out has read permission on /home/shawn/hello and write permission on /home/shawn/world and run another shell is not allowed.  You can use my code to test the policy:

https://raw.githubusercontent.com/citypw/citypw-SCFE/master/security/apparmor_test/apparmor_test.c

btw: I tested the poc of CVE-2014-0196 on kernel-3.13 and it crashed the kernel. I tested it on kernel-3.14.1 with Grsecurity and it doesn't work. But this issue should be affected on 3.14.1...ah, I think Grsecurity works in some "mysterious" ways to prevent this poc. I'll dig deeper about this amazing hardening implementation.

Further readings:
[1] Grsecurity wiki
http://en.wikibooks.org/wiki/Grsecurity

[2] Documentation for the PaX project
https://pax.grsecurity.net/docs/

[3] Grsecurity Blog
https://forums.grsecurity.net/viewforum.php?f=7