ksplice-grsec for centos 5

Following up on my previous post on the matter, here are some details on what the 4 grsec features I ported to a centos 5 kernel looks like.

First off, since I’m patching syscalls in heavy use, first try to insert might look like this:

[root@localhost ~]# ksplice-apply ksplice-grsec.tar.gz

Error applying Ksplice update grsec:

Ksplice has aborted the upgrade because it appears that the code that you are
trying to patch is continuously in use by the system.  More specifically,
Ksplice has been unable to find a moment when one or more of the to-be-patched
functions is not on a thread's kernel stack.

Process klogd(pid 2060) is using the following symbols changed by update grsec:
do_syslog
[root@localhost ~]#

So stop syslog (and any other process it complains about) and try again (don’t forget to start them back up!):

[root@localhost ~]# /etc/init.d/syslog stop
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
[root@localhost ~]# ksplice-apply ksplice-grsec.tar.gz
Done!
[root@localhost ~]# /etc/init.d/syslog start
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]

Here is Trusted Path Execution (TPE) in action:

[corman@localhost ~]$ ./mybinary
-bash: ./mybinary: Permission denied
[corman@localhost ~]$

mmap/mprotect also checked for TPE:

[corman@localhost ~]$ /lib/ld-2.5.so ./mybinary
./mybinary: error while loading shared libraries: ./mybinary: failed to map
segment from shared object: Permission denied
[corman@localhost ~]$

dmesg (as root user) shows:

Denied untrusted exec of mybinary by uid 500
Denied untrusted exec of mybinary by uid 500

dmesg restriction (non-root users can’t see the kernel ring buffer):

[corman@localhost ~]$ dmesg
klogctl: Operation not permitted
[corman@localhost ~]$

A few other features exist in here, harder to articulate. Perhaps I’ll give full details as I port over more features.

This is on my machine running 2.6.18-238.9.1.el5, which is now already out of date 😛 But I think I can script the making of this ksplice module out. So I may just publish these in my soon-to-be-released yum repository.

More details to come!

Leave a Reply

Your email address will not be published. Required fields are marked *