Alpine Linux forums - PaX & grsecurity

Future of GRSecurity in Alpine?

dnx — Thu, 18 May 2017 04:46:24 +0000

Forums:

With the end of public grsecurity patches (https://grsecurity.net/passing_the_baton_faq.php) what is the future looking like for grsec/pax in Alpine? I had a search but couldn't find anything definite - some mention of a fork maybe? Is Alpine's grsec implementation already a fork?

I'd love to know more about this, any helpful link or info greatly appreciated.

Thanks.

Unprivileged LXC and grsecurity kernel

fludardes — Sat, 04 Mar 2017 08:57:36 +0000

Forums:

PaX & grsecurity

Hello. Excuse me, please, but it seems that there is some kind of incompatibility between grsec kernel variants and the use of unprivileged LXC containers... Or maybe I do something wrong.

I try to create such container with command

# lxc-create -B btrfs -f /etc/lxc/default.conf -n alpine_1 -t download -- -d alpine -r 3.4 -a i386

/etc/lxc/default.conf I have created and changed to something like:

# Alpine fix from /etc/lxc/lxc.conf
lxc.cgroup.use = @kernel
...
# Mapping
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536

The root user has a subuid and subgid range.
But I receive an error:

newuidmap: Target process 2106 is owned by a different user: uid:0 pw_uid:0 st_uid:0, gid:0 pw_gid:0 st_gid:30
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: create_run_template: 1290 container creation template for ... failed
lxc-create: tools/lxc_create.c: main: 318 Error creating container

Maybe, this github issue is related to the problem...
It works with vanilla kernel on Alpine Linux, also it works on Arch Linux with grsec kernel from their repo (their version is built without GRKERNSEC_SYSFS_RESTRICT)
I just hope - is there some workaround without kernel rebuild? Sorry.

Alpine Linux v3.5, kernel: 4.4.52-0-virtgrsec
Thanks.

[SOLVED] i3status doesn't work because of sysfs restrictions

imv — Sat, 03 Sep 2016 06:18:14 +0000

Forums:

PaX & grsecurity

Some modules in i3status config (battery, cpu_temperature) want to access files in /sys/. However, due to GRKERNSEC_SYSFS_RESTRICT they can't do that.
Is there a way to make i3status work without ditching linux-grsec for linux-vanilla, or setting SUID bit for i3status, or recompiling the kernel?

grsec administration on Alpine

commandline.be — Sat, 30 Jan 2016 16:46:23 +0000

Forums:

PaX & grsecurity

While i've managed to patch a debian system with grsec+pax and get it to work well i'm lost with Alpine.

dmesg shows frequent notifications such as

grsec: denied resource overstep by requesting 4096 for RLIMIT_CORE against limit 0 /usr/.....

I've searched the wiki but could not find much, please provide a resource or other to continue.

Running strace

smebberson — Tue, 01 Dec 2015 03:26:35 +0000

Forums:

PaX & grsecurity

I've been having a few problems with a tool I use Consul, receiving a bunch of signals which I don't think it should be. I tried to use strace to debug this and listen in on the signals it is actually receiving but I haven't been able to.

I keep getting the following error from my strace command:

strace: test_ptrace_setoptions_for_all: PTRACE_TRACEME doesn't work: Permission denied
strace: test_ptrace_setoptions_for_all: unexpected exit status 1

I tried to add the following into /etc/sysctl.d/01-alpine.conf, but it hasn't changed anything:

kernel.grsecurity.harden_ptrace = 0
kernel.grsecurity.ptrace_readexec = 0

Is there anything else I can do to get strace running on Alpine Linux?

grsec-Patches only for sponsors

Lemming — Thu, 27 Aug 2015 07:44:54 +0000

Forums:

PaX & grsecurity

Hi,

I was introduced to alpine last weekend by a friend. Now grsecurity announced, that patches will be available only to sponsors.
Will this in any way affect this project?

Lemming

Hardened Kernel Goals

systmkor — Sun, 02 Nov 2014 19:55:44 +0000

Forums:

PaX & grsecurity

I have been doing some custom kernel compilation base on the default Alpine kernel. I added a decent amount of extra security mechanisms for the kernel such as chroot hardening and trusted path of execution (TPE). How locked down should the default kernel be for Alpine Linux? Should we have an extra version of Alpine the "paranoid" version? What are the core goals of Alpine and how do they affect the choices made for PaX & grsecurity?