LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The future for grsecurity

By Jake Edge
January 7, 2009

Using an out-of-tree kernel patch has several downsides but, as long as the patch is maintained and updated with the kernel, it is workable. If the developers lose interest—or funding—it suddenly becomes a much bigger problem for users. That scenario may be about to play out for users of the grsecurity tool as a recent release comes with a warning that it could be the last.

Users of grsecurity are, unsurprisingly, worried about the future of the security tool, but calls for its inclusion in the mainline are not likely to be successful. Over time, largely because of the efforts of others outside of the grsecurity project, various pieces of grsecurity (and the associated PaX project) have been added to the kernel. But, there are a number of reasons that the full grsecurity patch is not in the mainline; the most basic is that the developers seem unwilling or uninterested in following the normal path to inclusion.

The grsecurity patch implements a number of security features that are useful, particularly for web servers or servers that provide shell access to untrusted users. One of the major features is role-based access control (RBAC), which is an alternative to the traditional UNIX discretionary access control (DAC) or the more recent mandatory access control (MAC) provided by SELinux and Smack. The aim of RBAC is create a "least privilege" system, where users and processes have only the minimum necessary privilege to accomplish their task. grsecurity also includes hardening of the chroot() system call, to eliminate privilege escalation and other vulnerabilities from within a "chroot jail". In addition, there are a number of other miscellaneous features like auditing and restricting /proc information, all of which are listed on the grsecurity features page.

Another major component of grsecurity is the PaX code, which restricts memory use so that various exploits, such as buffer overflows and other code execution vulnerabilities, are blunted or eliminated. It does this by making data pages non-executable using—or emulating—the "no execute" (or NX) bit. PaX restricts mprotect() to not allow pages that are both writable and executable to avoid code injection as well. PaX also adds much more aggressive address space layout randomization (ASLR) than is currently used by Linux. PaX is developed separately from grsecurity, by the anonymous "PaX Team", then incorporated into grsecurity by developer Brad Spengler.

The project has been around for a long time; grsecurity started in 2001, while PaX began in 2000. There are numerous satisfied users and grsecurity has been used in distributions such as NetSecL and Hardened Gentoo, but it has never made it into the mainline. Gabor Micsko recently posted a request on linux-kernel for Linus Torvalds to reconsider grsecurity:

The common opinion of the developers of grsecurity, PaX and their users is that acceptance of the code into the kernel would be the best solution for saving the project, beside finding another long-term sponsor.

Torvalds replied that much of what was in grsecurity and PaX was "insane and very annoying and invasive code." He then went on to explain some of the history:

The apparent inability (and perhaps more importantly - total unwilling[n]ess) from the PaX team to be able to see what makes sense in a long-term general kernel and what does not, and split things up and try to push the sensible things up (and know which things are too ugly or too specialized to make sense), caused many PaX features to never be merged.

Much of it did get merged over the years (mostly because some people spent the time to separate things out), but no, we're not going to suddenly start merging code like that just because the project is in trouble. None of the basic issues have been solved.

A perfect example of the unwillingness to work with the kernel hackers is embodied in the decision not to implement RBAC as a Linux Security Module (LSM). For better or worse, LSM is the mechanism used to implement access control in the kernel. Conceptually, it is a good fit for the grsecurity RBAC code. It might require additional LSM hooks, but working on getting those hooks added is the right approach. There was some uncertainty about LSM at one time, but it clearly is the way forward today.

There may also be an issue with the PaX code, in that anonymous contributions to the kernel are not allowed. Presumably Spengler, or some other interested hacker, could sign off on that code, but it cannot be accepted directly from "PaX Team".

To the extent grsecurity and PaX have been proposed for inclusion, they have always been presented as a single monolithic patch. There has never been an attempt to break the patch up into logical chunks that can be accepted or rejected on their individual merits. So far, that has not occurred even after the project lost its sponsor. But waiting until the last minute is not going to work. As Robert Hancock puts it:

Saying to the kernel developers "here, throw this huge blob of code into your kernel because otherwise we're taking our ball and going home" is not how it works.

If there is value in the existing code, interested users and developers need to work within the kernel process to get it accepted. To do that, one must identify the useful pieces and proceed from there. Valdis Kletnieks suggests:

Probably the best way to proceed would be for the stakeholders to come to some agreement on which parts are the "sane stuff" (which could be an interesting food fight), split those parts out, and submit them for inclusion as standalone separate patches.

This is yet another example of the perils of out-of-tree code. By all accounts, there are satisfied grsecurity users who may well be left behind if the grsecurity project fails to find sponsors by the end of March. They can, of course, continue running the grsecurity-enhanced kernels they currently have, but may not be able to take advantage of upcoming kernel advances.

Perhaps the stakeholders will gather together and continue updating grsecurity for newer kernels, but that still leaves the underlying problem. They would be better served spending at least part of their time working with the kernel hackers to get as much of grsecurity and PaX as possible merged into the mainline.

(Log in to post comments)

The future for grsecurity

Posted Jan 15, 2009 14:53 UTC (Thu) by PaXTeam (subscriber, #24616) [Link]

we'd like to clarify a few statements in the article. the most important fact from which everything else follows is that contrary to what is assumed in there, we never ever considered submitting grsecurity or PaX for mainline inclusion, and therefore obviously we never have. anything similar in the past was user action, not on our behalf (including the one post cited explicitly in the article), and without as much as a CC to us in fact. so any criticism about what we did or did not do to comply with mainline submission guidelines is, to be polite, misguided at best.

now that this is clear, you might however be interested in why things are this way. there's more than one reason actually, in no particular order:

- break up and submit

it doesn't work in our case. to understand, you'll have to consider that we've been doing these projects for over 8 years in entirely our free time. free time happens to be precious and is therefore subject to heavy optimization. you can call that being lazy if you like, but the fact is, we are unwilling to waste this resource. if breaking up and submitting parts of the patches don't in the end reduce our workload on maintaining the rest, then it's simply not worth it. and so it happens that there're several features that will never be accepted in mainline (arguing their justification in another question and would surely be subject to flamewars, so we'll leave it at that ;) and they also happen to be the most maintenance-heavy features, so effectively our workload wouldn't be reduced by much (and even if it was worth it, our free time is simply not enough to accomplish this task).

- acceptable features vs. our sanity

lest you believe Linus, you may want to look at what PaX does vs. what he claimed it did and you'll realize that he was talking about something else, most likely Exec-Shield (PaX provides normal per-page PROT_EXEC semantics on i386 unlike the approximation in Exec-Shield). that's little wonder of course given how he couldn't have seen the code that was never submitted.

but speaking of features, we have another reason for not submitting the patches: we've always had several features that build up on or augment each other. say, in PaX there's a conscious effort to provide kernel self-protection against kernel bugs. it's not a simple thing and several steps are taken to accomplish it (not implying it's a complete protection though). due to their implementation, some of these steps would never be accepted by Linus but then the rest doesn't make any sense either (say, properly limiting the per-cpu data segment is pointless without the proper userland/kernel virtual address space separation feature).

in other words, everything we have in the patches serves a purpose, regardless of whether a kernel developer (who isn't a security expert) understands that purpose or not.

The future for grsecurity

Posted Jan 15, 2009 17:39 UTC (Thu) by Dwokfur (guest, #50126) [Link]

If I would be a company, I would hire both Gresecurity/PaX, Grsecurity and Dazuko at the same time to work out something really useful.

Let me draw your attention to a previous comment of yours with useful links regarding the reasons why LSM fails to fulfil its duty:
http://lwn.net/Articles/206315/

It's clear, that LSM is incapable to hook important security projects. All major solutions remained outside the tree. Why? Do you really think, that those security experts, who knows processor architectures better than some Linux kernel developers are all insanely staying outside? Or just a particular company does not care about other solutions apart from its own? I think if the promotion of LSM is seriously considered, the developers and that company must be convinced to cope with the targeted projects on polishing LSM and make it a useful piece of software. It might be possible for someone smaller than Novell to introduce some improvements (AppArmor). But I'm afraid that should have been done at the beginning. Not after its unusefulness had been widely proven.

Personally I'm happy, that potential security solutions won't threaten average Linux users. It gives me the possibility to remain more secure, while most of them keep their Compiz cubes rotating faster. They don't have to care about security. Although I hope that there won't be a lesson to learn.

BTW, you may left out a handy feature (or I didn't noticed it was mentioned) of Grsecurity: it has an option to disable kernel module loading. How pretty it would be for a malware to hook itself into the kernel as a module? There would be plenty of information to intercept with the help of LSM...

Regards,
Dw.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds