Hardening the openSUSE distro
NOTE: this project is in an undefined state, the following information is inaccurate.
Based on openSUSE kernel, patched with grsecurity and built with hardened toolchain, openSUSE-gardened aims to enable alternative, more secure option for its users. It provides kernel for desktop or server flavor and includes userspace tools that should enable easier use. This is currently unofficial project and in beta state.
The desktop flavor has been on openSUSE desktop and is considered stable enough for daily use. Despite that, there could be issues pertaining to graphics drivers from nVidia and AMD. Testers are needed for server flavor and other desktop environments and your feedback is welcome. You can post your findings/bugs/issues here on project's issue tracker or have a chat with us at irc.freenode.net #opensuse-gardened. For more information on PaX/grsecurity see Grsecurity wikibook.
- Kernel built using GCC toolchain and plugins from grsecurity.
- PaX flags stored as extended attributes on filesystem level, therefore ELF header modification is not needed and intentionally disbled in kernel
- If applicable, the installer (zypper) automatically refreshes PaX flags of newly installed binaries.
Why -gardened? According to Wikipedia, gardening is "a practice of growing and cultivating, an activity that brings relaxation", pun intended.
- ☑ alpha - experimental stage
- ☑ make it work
- ☑ test in various environments
- ☑ tune the build
- ☐ document build process, polish and publish scripts
- ☐ beta
- ☑ create an official devel project in openSUSE
- ☐ review configs for provided kernel flavors
- ☐ automate updates to new grsec patch version
- ☐ automate basic testing (boot, update, ltp, stress)
- ☐ PaX exception suggestions based on system log messages
- ☐ make it easier to do custom builds (due to randomization features), also custom configs or extra patches
- ☐ 1st class integration
- ☐ merge grsecurity/PaX to linux kernel
Repository packages are compatible with base openSUSE installation. To install, follow one of the procedures below. Please note that the randomization features cannot be fully utilized with the pre-build packages (the secret random seed can be obtained from the rpm). Use them for testing and do a full package rebuild in other cases.
YaST One-click installation pattern for the desktop kernel flavor:
- grsec-basic 1-click install for openSUSE 13.1
- grsec-basic 1-click install for openSUSE 13.2
- grsec-basic 1-click install for openSUSE 42.1
- grsec-basic 1-click install for openSUSE 42.2
- grsec-basic 1-click install for openSUSE
This will permanently add the repo and download following packages:
- kernel-grsec-desktop — the kernel (built with gcc 4.8 on 13.1, 13.2 and 42.1; gcc 6 on Tumbleweed)
- gradm — management utility for the RBAC policies
- linux-pax-flags — list of PaX exceptions and a tool to turn them on/off
- paxctl — provides paxctl utility to modify the PaX exceptions
- paxtest — set of tests to show the success of various protection mechanisms
Manual installation after adding the repo like this:
zypper ar --refresh \ http://download.opensuse.org/repositories/home:/dsterba:/grsecurity/openSUSE_Leap_42.2/ \ openSUSE-gardened
Other related packages:
- zypp-plugin-pax-flags - package manager plugin that refreshes all PaX flags after installation
Note: take in consideration that changing repository to a higher priority than openSUSE Updates will pull in modified compiler package along with appropriate plugins. We haven't observed any problems in such scenario though if you may not want this, do not change the repo priority. This applies to 13.x and 42.x .
Note: that the kernel for Leap build target does not follow the official Leap kernels!
More information about the tools can be found at the tools page.
List of known issues, you may encounter some of them.
More about the kernel flavors.
The testing version of grsecurity patches is released quite often. The OBS packages are updated within a day or less. The patching process has been automated but some manual review is always done before the packages are sent to build service.
Due to the fast pace of updates, please look at the git repository or OBS project for the latest version.
The non-kernel packages are released infrequently, they are considered stable.
The repository obs://security:grsecurity contains packages that pass build and base boot tests, but may be delayed behind the latest testing patches. This is recommended repository for most users.
The home project obs://~:grsecurity has become a staging repository, the latest patches are applied there, but the builds may be broken for certain time.
Testing or build support repos:
~:grsecurity:scratch-- whatever needs testing without breaking the rest
~:grsecurity:ports-- all packages for ARM (armv6 and armv7)
~:grsecurity:gcc48-- version of gcc 4.8 with enabled plugins, all arches (x86, arm)
Whenever possible, merge back changes to openSUSE. The kernel is likely to stay out of official openSUSE tree since grsecurity is not a part of mainline linux kernel. The efforts to apply grsec patches on top of the stable-based openSUSE kernels are minimal and make long-term maintenance doable.
See TODO for things in progress or to work on.
- https://github.com/kdave/kernel-source — openSUSE kernel repository, grsec branches
- https://github.com/kdave/zypp-plugin-pax-flags — packager plugin to refresh PaX flags
- https://github.com/kdave/linux-pax-flags — PaX settings
- https://github.com/kdave/paxctl — the
paxctlutility, extracted from the
elfixpackage, originally named
Stalled and not updated anymore:
- https://build.opensuse.org/project/show/home:dsterba:PIE-test — enabling PIE, full relro for more packages
References and further reading