Virtualbox modules don't build against grsec (not old/new)

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Virtualbox modules don't build against grsec (not old/new)

Postby nonetwork » Thu Aug 09, 2012 8:54 am

I tried 3.5 grsec, and 3.1.8 grsec kernels:

Code: Select all
dpkg -i virtualbox-dkms_4.1.18-dfsg-1_all.deb virtualbox-ose-dkms_4.1.18-dfsg-1_all.deb
(Reading database ... 322936 files and directories currently installed.)
Preparing to replace virtualbox-dkms 4.1.18-dfsg-1 (using virtualbox-dkms_4.1.18-dfsg-1_all.deb) ...

------------------------------
Deleting module version: 4.1.18
completely from the DKMS tree.
------------------------------
Done.
Unpacking replacement virtualbox-dkms ...
Preparing to replace virtualbox-ose-dkms 4.1.18-dfsg-1 (using virtualbox-ose-dkms_4.1.18-dfsg-1_all.deb) ...
Unpacking replacement virtualbox-ose-dkms ...
Setting up virtualbox-dkms (4.1.18-dfsg-1) ...
Loading new virtualbox-4.1.18 DKMS files...
Building only for 3.1.8-grsec
Building initial module for 3.1.8-grsec
Error! Bad return status for module build on kernel: 3.1.8-grsec (x86_64)
Consult /var/lib/dkms/virtualbox/4.1.18/build/make.log for more information.
Setting up virtualbox-ose-dkms (4.1.18-dfsg-1) ...


Code: Select all
cat /var/lib/dkms/virtualbox/4.1.18/build/make.log
DKMS make.log for virtualbox-4.1.18 for kernel 3.1.8-grsec (x86_64)
Thu Aug  9 08:45:40 EDT 2012
make: Entering directory `/usr/src/linux-3.1.8'
  LD      /var/lib/dkms/virtualbox/4.1.18/build/built-in.o
  LD      /var/lib/dkms/virtualbox/4.1.18/build/vboxdrv/built-in.o
  CC [M]  /var/lib/dkms/virtualbox/4.1.18/build/vboxdrv/linux/SUPDrv-linux.o
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin /usr/src/linux-3.1.8/tools/gcc/constify_plugin.so
cc1: error: incompatible gcc/plugin versions
cc1: error: fail to initialize plugin /usr/src/linux-3.1.8/tools/gcc/stackleak_plugin.so
make[2]: *** [/var/lib/dkms/virtualbox/4.1.18/build/vboxdrv/linux/SUPDrv-linux.o] Error 1
make[1]: *** [/var/lib/dkms/virtualbox/4.1.18/build/vboxdrv] Error 2
make: *** [_module_/var/lib/dkms/virtualbox/4.1.18/build] Error 2
make: Leaving directory `/usr/src/linux-3.1.8'


I have gcc and g++ symlinked to the 4.6 versions as 4.7 cannot build a grsec kernel.
What else am I doing wrong? I'm trying this as in some time I'll be building a server and want the virtual machines to be running on a locked down grsec.
nonetwork
 
Posts: 8
Joined: Thu Aug 09, 2012 8:01 am

Re: Virtualbox modules don't build against grsec (not old/ne

Postby PaX Team » Thu Aug 09, 2012 5:54 pm

couple of comments here:

1. vbox is not compatible with the more important kernel self-protection features in PaX, so don't have too high hopes for security...
2. gcc 4.7 should be able to build a grsec kernel, so maybe post the details of your troubles here.
3. gcc plugins must be compiled for the same gcc version that'll use them, so make sure there's no mixup there. the kernel build system should get this right so i'm not sure how you ended up with mismatched gcc versions...
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Virtualbox modules don't build against grsec (not old/ne

Postby nonetwork » Fri Aug 10, 2012 7:44 am

Is there anyway you can make it compatable, trick it?
I need this for a server, without grsec it's worthless to even put up a server.

What pax features need to be disabled in the kernel, or can I do paxctl on the binary?

grsec doesn't compile at all with gcc 4.7. SO I had to symlink gcc and g++ to their 4.6 counterparts. I believe the debian people said that they do not support users using grsecurity patches and they do not suggest that debian users use grsecurity kernels, so they'll likely be no help.
nonetwork
 
Posts: 8
Joined: Thu Aug 09, 2012 8:01 am

Re: Virtualbox modules don't build against grsec (not old/ne

Postby nonetwork » Fri Aug 10, 2012 7:46 am

You allready pointed out the reason 4.7 can't build: because it's moving itself to being built with C++ compilier. You posted this on a mailinglist that it is a policy decision on how to compile 4.7. Debian chose to make sure grsecurity cannot be built. On the debian irc channels they are quite, I'd say very, hostile to grsec and PaX.
nonetwork
 
Posts: 8
Joined: Thu Aug 09, 2012 8:01 am

Re: Virtualbox modules don't build against grsec (not old/ne

Postby PaX Team » Fri Aug 10, 2012 10:32 am

virtualbox has some inherent design issues that i can't really work around (e.g., its homegrown kernel module loader that bypasses that of the kernel) and it doesn't look like they're interested in investing their time into making vbox PaX compatible either :P. that's not to say that other virtualization solutions play that much better with PaX, there's always something that stands in their way and i don't really have the time to track them down.

as for gcc 4.7, it should work fine for some time now (both gcc and g++ compiled, it's automatically discovered when building the kernel) so the problem must be something specific to your system.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Re: Virtualbox modules don't build against grsec (not old/ne

Postby nonetwork » Fri Aug 17, 2012 5:57 pm

Could you maybe make a pax-grsec friendly fork of virtual box? Virtual box is now being used to host tor "hidden services" with the tor-box/aos project, so it's actually being used in the field. Maybe make it use the kernel loader etc and have it be the semi-officially supported virtualization solution for people using grsec.

Webhosts today also do the virtualization thing so it could help there too.

Also vbox I think was a Sun project, that was then taken over by oracle, and probably mostly abandoned so that's why maybe you didn't get a response. Perfect for forking for pax compatability.
nonetwork
 
Posts: 8
Joined: Thu Aug 09, 2012 8:01 am

Re: Virtualbox modules don't build against grsec (not old/ne

Postby nonetwork » Fri Aug 17, 2012 6:01 pm

It would be like you moving in on the Tijuana Cartel when they stop servicing a certain segment of the market.
You can get in on that.

Virtualization + Security == currently unhelped.
nonetwork
 
Posts: 8
Joined: Thu Aug 09, 2012 8:01 am

Re: Virtualbox modules don't build against grsec (not old/ne

Postby tradetaxfree » Mon Sep 10, 2012 7:11 am

To use virtualization with grsecurity use KVM instead of Virtualbox. I've written a guide for using KVM with Grsecurity in Debian here. Performance is better than Virtualbox & works with all security settings enabled.
tradetaxfree
 
Posts: 3
Joined: Mon Sep 10, 2012 7:04 am


Return to grsecurity support

cron