655936 – sys-kernel/hardened-sources-4.8.17-r2: GRKERNSEC_DENYUSB is wrongly bound to GRKERNSEC_SYSCTL

Bug 655936 - sys-kernel/hardened-sources-4.8.17-r2: GRKERNSEC_DENYUSB is wrongly bound to GRKERNSEC_SYSCTL

Summary: sys-kernel/hardened-sources-4.8.17-r2: GRKERNSEC_DENYUSB is wrongly bound to ...

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2018-05-17 07:35 UTC by Jan Sever
Modified:	2018-05-21 23:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jan Sever 2018-05-17 07:35:18 UTC

If you wanna use sysctl option deny_new_usb, you have to allow GRKERNSEC_SYSCTL; otherwise it is not in /proc/sys/kernel/grsecurity. But that is a problem, since you have to lock the change at boot due to the security reason. But the lock also forbids to change deny_new_usb and therefore it is unusable.

I use deny_new_usb against various security issues with USB drivers (direct memory in IEEE 1394 etc.) and allow it only temporarily for mounting USB disks. It worked at least in v3.18.9.

Reproducible: Always

Steps to Reproduce:
1. Configure with GRKERNSEC_DENYUSB=y & GRKERNSEC_SYSCTL=n.
2. Reboot with the new kernel.
Actual Results:  
Option deny_new_usb is not available.

Expected Results:  
Option deny_new_usb should be available without GRKERNSEC_SYSCTL.

Comment 1 Agostino Sarubbo gentoo-dev

2018-05-17 08:55:04 UTC

The package is masked, I don't know how much sense can have a bugreport on it..

Comment 2 Jan Sever 2018-05-17 09:05:02 UTC

I know, but I am sure I am not the only one who use it. Grsecurity is one of the best protection against programmers' mistakes and it is not available in gentoo-sources.

Comment 3 Tomáš Mózes 2018-05-18 04:45:43 UTC

Yes,but how many security fixes landed in the latter releases since 4.8.x? GregKh would say - use a recent lts - they try hard to bring you the best they can.

Hardened sources were good,but it's time to switch to mainline imho..

Comment 4 Jan Sever 2018-05-18 18:31:11 UTC

I am not quite convinced that quantity also means quality. Imho, hardened-sources with all grsecurity hardening features on (even with v4.8) is much more secure than the most recent kernels. But I think it is a personal choice and that is what Gentoo is about.

Comment 5 Tomáš Mózes 2018-05-18 19:20:49 UTC

Of course, it's your choice :)

What about spectre/meltdown on hardened?

Comment 6 Jan Sever 2018-05-21 13:06:35 UTC

I am not an expert as for spectre/meltdown, but if I understand it clearly, the attacker has to get into the system first. If you run single-user client machine and don't run any scripts/executables not on your computer than he must abuse another bug to run an executable and that's what grsecurity fends against.

The key of grsecurity is about protecting against yet unknown bugs (of course it is not 100% safe, but at least it tries) and there can be other flaws in CPUs which are unknown yet and therefore not taken care of in recent kernels.

Comment 7 Magnus Granberg gentoo-dev

2018-05-21 23:10:48 UTC

Outdated and masked.