ID: 210PHID: PHID-TASK-xuufugvactrf5zh2fvu5Author: JohnStatus at Migration Time: invalidPriority at Migration Time: Wishlist
Currently, whonixcheck and sdwdate don’t work with a kernel patched with grsecurity. This is because of two problems:
/usr/bin/python2.7 is not labelled with user.pax.flags=‘E’
cffi tries to create rwx pages
The first is easy to fix, just setfattr -n user.pax.flags -v E /usr/bin/python2.7
The second requires a patch¹. Given that Whonix uses Debian stable, I’m guessing that it will take a Very Long Time Indeed until a working release ends up in Whonix without preemptive action.
¹ https://bitbucket.org/cffi/cffi/issue/177/foo-segfaults-with-grsec-denied-rwx-mmap
2015-03-03 15:20:09 UTC
We don’t have the manpower to ship a custom patched kernel at this time.
Isn’t this a patch that should be suggested to the grsecurity developers?
Please share how you got grsecurity working in Whonix in a separate ticket or T203.
2015-03-04 08:32:18 UTC
! In T210#2722, @Patrick wrote:
Isn’t this a patch that should be suggested to the grsecurity developers?
Please share how you got grsecurity working in Whonix in a separate ticket or T203.
I didn’t mean to imply that you should ship a custom kernel, only that it would be nice if you set the appropriate xattrs and ideally patched your copy of cffi.
The patch shouldn’t be suggested to grsecurity developers, since it’s a patch to cffi. The penultimate comment in the linked thread explains what it does.
As for how I got grsecurity working in Whonix, I simply copied over a kernel (hardened-sources) from a Gentoo install.
2015-03-04 16:22:40 UTC
! In T210#2748, @John wrote:
Isn’t this something that should be rather suggested and implemented to Debian’s python package or python upstream?
and ideally patched your copy of cffi.
I see. cffi merged the patch. I don’t think we have the manpower to maintain patched versions of packages in Whonix’s repository. So it will likely indeed take a long time until Debian stretch.
2015-03-23 02:21:10 UTC
I see. cffi merged the patch. I don’t think we have the manpower to maintain patched versions of packages in Whonix’s repository. So it will likely indeed take a long time until Debian stretch.
Just fyi, the problem isn’t cffi, but a much earlier change in libffi (included in 3.1).
I hadn’t quite realized just how antiquated debian stable was, and so had assumed it must be the later cffi problem. I tried installing libffi from debian testing, but that pulled in glibc from testing, which triggered what seemed like a complete removal of whonix packages. I had no idea how to specify dependency preferences in apt as would be specified by USE flags in portage, so I gave up.
wrt taking this issue to debian, considering the manpower of debian and its nonchalance toward rwx pages thus far, I think that doing so would be painful to say the least.
It’s probably easier to just inspect and copy whonix config over to Gentoo and use that until libffi 3.1 reaches debian stable.
2015-05-20 13:16:36 UTC
2015-05-21 21:24:35 UTC
! In T210#4702, @HulaHoop wrote:
Primarily because granting rwx pages isn’t the only problem. Without patching ffi tries to create and then execute writable files(!). The patch makes ffi see that it’s on a kernel that enforces basic security/sanity, and if it is, elect not to do so.
Also, ELF header marking has been deprecated for over a year, so I don’t build my kernels with support for it.* This is a good thing, because altering the hash of installed files removes any “outsourced” trust afforded by using upstream binaries.
* Running a secure system on hardened Gentoo profiles is piss easy. I hadn’t quite (read: at all) appreciated that fact until I tried to use Whonix/debian.
2015-05-22 02:15:49 UTC
2015-05-22 02:52:38 UTC
! In T210#4790, @HulaHoop wrote:
Yes I implied there is a temporary security tradeoff because python won’t be fully protected but I still think the problem is not a blocker for grsecurity support because exceptions can still make cffi work. Interpreters like python and java need PaX exceptions to work.
2015-05-22 05:28:02 UTC
2015-05-22 05:56:30 UTC
! In T210#4792, @HulaHoop wrote:
grsec manual:
kernel.grsecurity.tpe_invertdisabled for. This
You’ll also have to disable GRKERNSEC_TPE_ALL, since TPE then blocks any executable file that’s world-writable regardless of tpe_gid’s value (which /tmp usually is). I suggest having a seriously strict MAC/RBAC policy before considering turning it off though (on your own machines: I agree with your implication that debian users are fscked already ;))
2017-04-29 16:20:49 UTC