Page 1 of 1

Use Tor browser on grsecurity-hardened system?

PostPosted: Sun Aug 07, 2016 4:39 pm
by timbgo
I am using genuine (non-paid) grsecurity, unlike the the OP of this topic. And I basically ended
up banging my head into the same wall as the the OP of that topic.

And it took me time to understand the solution to using Tor was, very likely
somewhere in the direction of:

what itoffshore wrote in that topic wrote:Run TAILS or
WHONIX in KVM with libvirt on Alpine:
install XFCE & then
connect to the KVM desktop
with
SPICE
.


I chose Tails, because it seems the trail has already been walked by many:

virt-manager
https://tails.boum.org/doc/advanced_top ... ex.en.html

And then I followed this guide:

https://wiki.gentoo.org/wiki/QEMU

This is how it probably works on Gentoo (I'm only partly done). Other distro?
likely some things will be different, but at the low level, can only be similar.

I needed to add these two:

tail -2 /etc/portage/package.use:
Code: Select all
app-emulation/qemu gtk python sdl spice
>=media-libs/mesa-12.0.1 gles2


Now the kernel. Here's the diff btwn no-kvm kernel and kvm kernel config, the
latter with the "-160807-kvm" string for the local version. It's on the right,
i.e. the lines with the first char '>'.

# diff .config.old .config:
Code: Select all
57c57
< CONFIG_LOCALVERSION="-160802"
---
> CONFIG_LOCALVERSION="-160807-kvm"
91a92
> # CONFIG_IRQ_DOMAIN_DEBUG is not set
134a136
> # CONFIG_TREE_RCU_TRACE is not set
220a223
> CONFIG_USER_RETURN_NOTIFIER=y
273a277
> # CONFIG_GCOV_KERNEL is not set
329a334
> CONFIG_PREEMPT_NOTIFIERS=y
357a363
> # CONFIG_IOSF_MBI_DEBUG is not set
442a449
> CONFIG_MEMORY_BALLOON=y
449a457
> CONFIG_MMU_NOTIFIER=y
487a496
> # CONFIG_KEXEC is not set
551a561
> # CONFIG_ACPI_CUSTOM_METHOD is not set
782a793
> CONFIG_BRIDGE_NETFILTER=m
920a932
> # CONFIG_NETFILTER_XT_MATCH_PHYSDEV is not set
1028a1041,1042
> # CONFIG_NF_TABLES_BRIDGE is not set
> # CONFIG_BRIDGE_NF_EBTABLES is not set
1035c1049,1051
< # CONFIG_BRIDGE is not set
---
> CONFIG_STP=y
> CONFIG_BRIDGE=y
> CONFIG_BRIDGE_IGMP_SNOOPING=y
1038a1055
> CONFIG_LLC=y
1157a1175
> # CONFIG_VIRTIO_BLK is not set
1339a1358
> # CONFIG_SCSI_VIRTIO is not set
1421c1440
< # CONFIG_TUN is not set
---
> CONFIG_TUN=y
1423a1443
> # CONFIG_VIRTIO_NET is not set
1429a1450,1453
> CONFIG_VHOST_NET=y
> CONFIG_VHOST_RING=y
> CONFIG_VHOST=y
> # CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
1472a1497
> # CONFIG_SKY2_DEBUG is not set
1730a1756
> # CONFIG_DEVKMEM is not set
1749a1776
> # CONFIG_VIRTIO_CONSOLE is not set
1755a1783
> # CONFIG_HW_RANDOM_VIRTIO is not set
1765a1794
> CONFIG_DEVPORT=y
2657a2687
> # CONFIG_DRM_VIRTIO_GPU is not set
3303c3333,3335
< # CONFIG_VIRT_DRIVERS is not set
---
> CONFIG_IRQ_BYPASS_MANAGER=y
> CONFIG_VIRT_DRIVERS=y
> CONFIG_VIRTIO=y
3308c3340,3343
< # CONFIG_VIRTIO_PCI is not set
---
> CONFIG_VIRTIO_PCI=y
> CONFIG_VIRTIO_PCI_LEGACY=y
> CONFIG_VIRTIO_BALLOON=y
> CONFIG_VIRTIO_INPUT=y
3377a3413
> # CONFIG_AMD_IOMMU_STATS is not set
3421a3458
> # CONFIG_AMD_MCE_INJ is not set
3610a3648
> # CONFIG_NFSD_FAULT_INJECTION is not set
3618a3657
> # CONFIG_SUNRPC_DEBUG is not set
3696a3736
> # CONFIG_DYNAMIC_DEBUG is not set
3707a3748,3749
> # CONFIG_PAGE_OWNER is not set
> CONFIG_DEBUG_FS=y
3727a3770
> # CONFIG_DEBUG_KMEMLEAK is not set
3738a3782
> # CONFIG_KCOV is not set
3788a3833
> # CONFIG_NOTIFIER_ERROR_INJECTION is not set
3800a3846,3863
> CONFIG_TRACING_SUPPORT=y
> CONFIG_FTRACE=y
> # CONFIG_FUNCTION_TRACER is not set
> # CONFIG_IRQSOFF_TRACER is not set
> # CONFIG_PREEMPT_TRACER is not set
> # CONFIG_SCHED_TRACER is not set
> # CONFIG_ENABLE_DEFAULT_TRACERS is not set
> # CONFIG_FTRACE_SYSCALLS is not set
> # CONFIG_TRACER_SNAPSHOT is not set
> CONFIG_BRANCH_PROFILE_NONE=y
> # CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
> # CONFIG_PROFILE_ALL_BRANCHES is not set
> # CONFIG_STACK_TRACER is not set
> # CONFIG_BLK_DEV_IO_TRACE is not set
> # CONFIG_UPROBE_EVENT is not set
> # CONFIG_PROBE_EVENTS is not set
> # CONFIG_MMIOTRACE is not set
> # CONFIG_TRACEPOINT_BENCHMARK is not set
3804a3868
> # CONFIG_LKDTM is not set
3838a3903
> # CONFIG_X86_PTDUMP is not set
3855a3921
> # CONFIG_DEBUG_BOOT_PARAMS is not set
3860a3927
> # CONFIG_PUNIT_ATOM_DEBUG is not set
3926c3993
< CONFIG_PAX_MEMORY_UDEREF=y
---
> # CONFIG_PAX_MEMORY_UDEREF is not set
3938c4005
< CONFIG_GRKERNSEC_KMEM=y
---
> # CONFIG_GRKERNSEC_KMEM is not set
4229c4296,4313
< # CONFIG_VIRTUALIZATION is not set
---
> CONFIG_HAVE_KVM_IRQCHIP=y
> CONFIG_HAVE_KVM_IRQFD=y
> CONFIG_HAVE_KVM_IRQ_ROUTING=y
> CONFIG_HAVE_KVM_EVENTFD=y
> CONFIG_KVM_APIC_ARCHITECTURE=y
> CONFIG_KVM_MMIO=y
> CONFIG_KVM_ASYNC_PF=y
> CONFIG_HAVE_KVM_MSI=y
> CONFIG_HAVE_KVM_CPU_RELAX_INTERCEPT=y
> CONFIG_KVM_VFIO=y
> CONFIG_KVM_GENERIC_DIRTYLOG_READ_PROTECT=y
> CONFIG_KVM_COMPAT=y
> CONFIG_HAVE_KVM_IRQ_BYPASS=y
> CONFIG_VIRTUALIZATION=y
> CONFIG_KVM=y
> # CONFIG_KVM_INTEL is not set
> CONFIG_KVM_AMD=y
> # CONFIG_KVM_DEVICE_ASSIGNMENT is not set


That's a lot of changes. I thought I'd post this, because there are changes to the config which are difficult to make for a newbie in kernel compiling.

Here's why. If you grep out only the old kernel from above (on the left):

# diff .config.old .config | grep '< ':
Code: Select all
< CONFIG_LOCALVERSION="-160802"
< # CONFIG_BRIDGE is not set
< # CONFIG_TUN is not set
< # CONFIG_VIRT_DRIVERS is not set
< # CONFIG_VIRTIO_PCI is not set
< CONFIG_PAX_MEMORY_UDEREF=y
< CONFIG_GRKERNSEC_KMEM=y
< # CONFIG_VIRTUALIZATION is not set

you can see that I had to relinquish having "CONFIG_PAX_MEMORY_UDEREF" and "CONFIG_GRKERNSEC_KMEM" in the new, kvm enabled kernel.

When some of those are enabled, the KVM options (in the guide that I already said I followed: https://wiki.gentoo.org/wiki/QEMU ) are just not available in the config.

Here's what they now look like:

Code: Select all
 .config - Linux/x86 4.6.5-hardened-r1 Kernel Configuration
 [...] rity → Customize Configuration → PaX → Miscellaneous hardening features
  ┌─────────────────── Miscellaneous hardening features ────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty │ 
  │  submenus ----).  Highlighted letters are hotkeys.  Pressing <Y>        │ 
  │  includes, <N> excludes, <M> modularizes features.  Press <Esc><Esc> to │ 
  │  exit, <?> for Help, </> for Search.  Legend: [*] built-in  [ ]         │ 
  │ ┌─────────────────────────────────────────────────────────────────────┐ │ 
  │ │    [*] Sanitize all freed memory                                    │ │ 
  │ │    [*] Sanitize kernel stack                                        │ │ 
  │ │    [*] Forcibly initialize local variables copied to userland       │ │ 
  │ │    [ ] Prevent invalid userland pointer dereference                 │ │ 
  │ │    [*] Prevent various kernel object reference counter overflows   


where the help reads:

Code: Select all
 .config - Linux/x86 4.6.5-hardened-r1 Kernel Configuration
 [...] ptions → Grsecurity → Customize Configuration → PaX → Miscellaneous hardening features
  ┌───────────────────── Prevent invalid userland pointer dereference ─────────────────────┐
  │ CONFIG_PAX_MEMORY_UDEREF:                                                              │ 
  │                                                                                        │ 
  │ By saying Y here the kernel will be prevented from dereferencing                       │ 
  │ userland pointers in contexts where the kernel expects only kernel                     │ 
  │ pointers.  This is both a useful runtime debugging feature and a                       │ 
  │ security measure that prevents exploiting a class of kernel bugs.                      │ 
  │                                                                                        │ 
  │ The tradeoff is that some virtualization solutions may experience                      │ 
  │ a huge slowdown and therefore you should not enable this feature                       │ 
  │ for kernels meant to run in such environments.  Whether a given VM                     │ 
  │ solution is affected or not is best determined by simply trying it                     │ 
  │ out, the performance impact will be obvious right on boot as this                      │ 
  │ mechanism engages from very early on.  A good rule of thumb is that                    │ 
  │ VMs running on CPUs without hardware virtualization support (i.e.,                     │ 
  │ the majority of IA-32 CPUs) will likely experience the slowdown.                       │ 
  │                                                                                        │ 
  │ On X86_64 the kernel will make use of PCID support when available                      │ 
  │ (Intel's Westmere, Sandy Bridge, etc) for better security (default)                    │ 
  │ or performance impact.  Pass pax_weakuderef on the kernel command                      │ 
  │ line to choose the latter.                                                             │ 
  │                                                                                        │ 
  │ Symbol: PAX_MEMORY_UDEREF [=n]                                                         │ 
  │ Type  : boolean                                                                        │ 
  │ Prompt: Prevent invalid userland pointer dereference                                   │ 
  │   Location:                                                                            │ 
  │     -> Security options                                                                │ 
  │       -> Grsecurity                                                                    │ 
  │         -> Grsecurity (GRKERNSEC [=y])                                                 │ 
  │           -> Customize Configuration                                                   │ 
  │             -> PaX                                                                     │ 
  │               -> Miscellaneous hardening features                                      │ 
  │   Defined at security/Kconfig:857                                                      │ 
  │   Depends on: GRKERNSEC [=y] && (X86 [=y] || ARM && (CPU_V6 || \                       │ 
  │ CPU_V6K || CPU_V7) && !ARM_LPAE) && !UML_X86 && !XEN [=n]                              │ 
  │   Selects: PAX_PER_CPU_PGD [=y]                                                        │ 
  │


It mentions "virtualization solutions", the context being somewhat not completely explanatiry for why these:

Code: Select all
> CONFIG_KVM=y
> # CONFIG_KVM_INTEL is not set
> CONFIG_KVM_AMD=y

were unavailable until I disabled the "PAX_MEMORY_UDEREF", IIRC.

And:

Code: Select all
 .config - Linux/x86 4.6.5-hardened-r1 Kernel Configuration
 [...] ity options → Grsecurity → Customize Configuration → Memory Protections
  ┌────────────────────────── Memory Protections ───────────────────────────┐
  │  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty │ 
  │  submenus ----).  Highlighted letters are hotkeys.  Pressing <Y>        │ 
  │  includes, <N> excludes, <M> modularizes features.  Press <Esc><Esc> to │ 
  │  exit, <?> for Help, </> for Search.  Legend: [*] built-in  [ ]         │ 
  │ ┌─────────────────────────────────────────────────────────────────────┐ │ 
  │ │    [ ] Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port   │ │ 
  │ │    [ ] Disable privileged I/O                                       │ │ 


where the help reads:

Code: Select all
 .config - Linux/x86 4.6.5-hardened-r1 Kernel Configuration
 → Security options → Grsecurity → Customize Configuration → Memory Protections ────────────────
  ┌─────────────── Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port ───────────────┐
  │ CONFIG_GRKERNSEC_KMEM:                                                                   │ 
  │                                                                                          │ 
  │ If you say Y here, /dev/kmem and /dev/mem won't be allowed to                            │ 
  │ be written to or read from to modify or leak the contents of the running                 │ 
  │ kernel.  /dev/port will also not be allowed to be opened, writing to                     │ 
  │ /dev/cpu/*/msr will be prevented, and support for kexec will be removed.                 │ 
  │ If you have module support disabled, enabling this will close up several                 │ 
  │ ways that are currently used to insert malicious code into the running                   │ 
  │ kernel.                                                                                  │ 
  │                                                                                          │ 
  │ Even with this feature enabled, we still highly recommend that                           │ 
  │ you use the RBAC system, as it is still possible for an attacker to                      │ 
  │ modify the running kernel through other more obscure methods.                            │ 
  │                                                                                          │ 
  │ Enabling this feature will prevent the "cpupower" and "powertop" tools                   │ 
  │ from working and excludes debugfs from being compiled into the kernel.                   │ 
  │                                                                                          │ 
  │ It is highly recommended that you say Y here if you meet all the                         │ 
  │ conditions above.                                                                        │ 
  │                                                                                          │ 
  │ Symbol: GRKERNSEC_KMEM [=n]                                                              │ 
  │ Type  : boolean                                                                          │ 
  │ Prompt: Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port                       │ 
  │   Location:                                                                              │ 
  │     -> Security options                                                                  │ 
  │       -> Grsecurity                                                                      │ 
  │         -> Grsecurity (GRKERNSEC [=y])                                                   │ 
  │           -> Customize Configuration                                                     │ 
  │             -> Memory Protections                                                        │ 
  │   Defined at grsecurity/Kconfig:7                                                        │ 
  │   Depends on: GRKERNSEC [=y]                                                             │ 
  │   Selects: STRICT_DEVMEM [=y]                                                            │ 
  │                                                                                          │ 


...and I can't remember now which exact of the features newly set simply wasn't there for as long as the "GRKERNSEC_KMEM" was enabled... But I think it was, allow pasting as it is on that guide on Gentoo Wiki that I followed:
Code: Select all
KERNEL Enabling Linux file capabilities support

Kernel hacking  --->
    Compile-time checks and compiler options  --->
        [*] Debug Filesystem



And I compiled the kernel, and installed it. It's a change deep inside of the code, it's not a minor change, the virtualization, and it takes time something like complete recompile, as if with a brand new kernel compilation.

And reboot into the new kernel, since only now

(
the Gentoo wiki needs
to be corrected where it reads:

If KVM support is available there should be a "kvm" device listed at /dev/kvm

but it is only the case after you boot into kvm enabled kernel

I wrote that in the Talk:

https://wiki.gentoo.org/wiki/Talk:QEMU
)...

So I rebooted into the new kernel, and only now it has the kvm device:

Code: Select all
# ls -l /dev/kvm
crw------- 1 root root 10, 232 2016-08-07 21:23 /dev/kvm
#


And now I can more safely proceed to installing Qemu:

Code: Select all
# emerge -tuDN qemu

These are the packages that would be merged, in reverse order:

Calculating dependencies   ... done!                                 
[ebuild  N     ] app-emulation/qemu-2.6.0::gentoo  USE="aio alsa bzip2 caps curl fdt filecaps gnutls gtk jpeg ncurses nls opengl pin-upstream-blobs png python sasl sdl seccomp spice threads uuid vhost-net vnc xattr -accessibility -bluetooth -debug -glusterfs -gtk2 -infiniband -iscsi -lzo -nfs -numa -pulseaudio -rbd -sdl2 (-selinux) -smartcard -snappy -ssh -static -static-softmmu -static-user -systemtap -tci {-test} -usb -usbredir -vde -virgl -virtfs -vte -xen -xfs" LINGUAS="-de_DE -fr_FR -hu -it -tr -zh_CN" PYTHON_TARGETS="python2_7" QEMU_SOFTMMU_TARGETS="x86_64 -aarch64 -alpha -arm -cris -i386 -lm32 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -moxie -or32 -ppc -ppc64 -ppcemb -s390x -sh4 -sh4eb -sparc -sparc64 -tricore -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="-aarch64 -alpha -arm -armeb -cris -i386 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -mipsn32 -mipsn32el -or32 -ppc -ppc64 -ppc64abi32 -ppc64le -s390x -sh4 -sh4eb -sparc -sparc32plus -sparc64 -tilegx -unicore32 -x86_64" 0 KiB
[ebuild  N     ]  media-libs/libepoxy-1.3.1::gentoo  USE="{-test}" ABI_X86="(64) -32 (-x32)" 0 KiB
[ebuild   R    ]   media-libs/mesa-12.0.1::gentoo  USE="classic dri3 egl gallium gbm gles2* llvm nptl pax_kernel pic -bindist -d3d9 -debug -gles1 -opencl -openmax -osmesa (-selinux) -udev -vaapi -valgrind -vdpau -wayland -xa -xvmc" ABI_X86="(64) -32 (-x32)" VIDEO_CARDS="nouveau radeon (-freedreno) -i915 -i965 -ilo -intel -r100 -r200 -r300 -r600 -radeonsi (-vc4) -vmware" 0 KiB
[ebuild  N     ]  app-emulation/spice-0.13.1-r2::gentoo  USE="sasl -libressl -lz4 -smartcard -static-libs" 0 KiB
[ebuild  N     ]   dev-python/pyparsing-2.1.5::gentoo  USE="-doc -examples" PYTHON_TARGETS="python2_7 python3_4 -pypy -pypy3 -python3_3 -python3_5" 0 KiB
[ebuild  N     ]  sys-firmware/ipxe-1.0.0_p20160620::gentoo  USE="ipv6 qemu -efi -iso -lkrn -savedconfig -undi -usb -vmware" 0 KiB
[ebuild  N     ]  sys-apps/dtc-1.4.1-r1::gentoo  USE="-static-libs" 0 KiB
[nomerge       ] app-emulation/spice-0.13.1-r2::gentoo  USE="sasl -libressl -lz4 -smartcard -static-libs"
[ebuild  N     ]  media-libs/celt-0.5.1.3:0.5.1::gentoo  USE="ogg -static-libs" 0 KiB
[nomerge       ] app-emulation/qemu-2.6.0::gentoo  USE="aio alsa bzip2 caps curl fdt filecaps gnutls gtk jpeg ncurses nls opengl pin-upstream-blobs png python sasl sdl seccomp spice threads uuid vhost-net vnc xattr -accessibility -bluetooth -debug -glusterfs -gtk2 -infiniband -iscsi -lzo -nfs -numa -pulseaudio -rbd -sdl2 (-selinux) -smartcard -snappy -ssh -static -static-softmmu -static-user -systemtap -tci {-test} -usb -usbredir -vde -virgl -virtfs -vte -xen -xfs" LINGUAS="-de_DE -fr_FR -hu -it -tr -zh_CN" PYTHON_TARGETS="python2_7" QEMU_SOFTMMU_TARGETS="x86_64 -aarch64 -alpha -arm -cris -i386 -lm32 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -moxie -or32 -ppc -ppc64 -ppcemb -s390x -sh4 -sh4eb -sparc -sparc64 -tricore -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="-aarch64 -alpha -arm -armeb -cris -i386 -m68k -microblaze -microblazeel -mips -mips64 -mips64el -mipsel -mipsn32 -mipsn32el -or32 -ppc -ppc64 -ppc64abi32 -ppc64le -s390x -sh4 -sh4eb -sparc -sparc32plus -sparc64 -tilegx -unicore32 -x86_64"
[ebuild  N     ]  sys-firmware/vgabios-0.7a-r1::gentoo  USE="-binary -debug" 0 KiB
[ebuild  N     ]   sys-devel/dev86-0.16.21-r2::gentoo  0 KiB
[ebuild  N     ]    sys-devel/bin86-0.16.21::gentoo  0 KiB
[ebuild  N     ]  sys-firmware/sgabios-0.1_pre8::gentoo  0 KiB
[ebuild  N     ]  sys-firmware/seabios-1.8.2::gentoo  USE="binary seavgabios -debug" 0 KiB
[ebuild  N     ]  app-emulation/spice-protocol-0.12.11::gentoo  0 KiB

Total: 14 packages (13 new, 1 reinstall), Size of downloads: 0 KiB

Would you like to merge these packages? [Yes/No]


And I installed these packages fine.

Now comes the learning, which is a slow process here. I need Tor, and I'm all
at it at this time.

And I also thought an occasionaly newbie might find this beginning of journey
to start using Tor, in a heavily grsec-hardened system, useful, even this beginning part... And so I'm posting it.

---
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)