ksplice-grsec for centos 5

Following up on my previous post on the matter, here are some details on what the 4 grsec features I ported to a centos 5 kernel looks like.

First off, since I’m patching syscalls in heavy use, first try to insert might look like this:

[[email protected] ~]# ksplice-apply ksplice-grsec.tar.gz

Error applying Ksplice update grsec:

Ksplice has aborted the upgrade because it appears that the code that you are
trying to patch is continuously in use by the system.  More specifically,
Ksplice has been unable to find a moment when one or more of the to-be-patched
functions is not on a thread's kernel stack.

Process klogd(pid 2060) is using the following symbols changed by update grsec:
[[email protected] ~]#

So stop syslog (and any other process it complains about) and try again (don’t forget to start them back up!):

[[email protected] ~]# /etc/init.d/syslog stop
Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [  OK  ]
[[email protected] ~]# ksplice-apply ksplice-grsec.tar.gz
[[email protected] ~]# /etc/init.d/syslog start
Starting system logger:                                    [  OK  ]
Starting kernel logger:                                    [  OK  ]

Here is Trusted Path Execution (TPE) in action:

[[email protected] ~]$ ./mybinary
-bash: ./mybinary: Permission denied
[[email protected] ~]$

mmap/mprotect also checked for TPE:

[[email protected] ~]$ /lib/ld-2.5.so ./mybinary
./mybinary: error while loading shared libraries: ./mybinary: failed to map
segment from shared object: Permission denied
[[email protected] ~]$

dmesg (as root user) shows:

Denied untrusted exec of mybinary by uid 500
Denied untrusted exec of mybinary by uid 500

dmesg restriction (non-root users can’t see the kernel ring buffer):

[[email protected] ~]$ dmesg
klogctl: Operation not permitted
[[email protected] ~]$

A few other features exist in here, harder to articulate. Perhaps I’ll give full details as I port over more features.

This is on my machine running 2.6.18-238.9.1.el5, which is now already out of date 😛 But I think I can script the making of this ksplice module out. So I may just publish these in my soon-to-be-released yum repository.

More details to come!

Leave a Reply

Your email address will not be published. Required fields are marked *