Arch Linux

adventurer

Member

Registered: 2014-05-04

Posts: 119

linux-grsec and Virtualbox compatibility with the right options?

As discussed in other threads here, linux-grsec as host and Virtualbox as guest don't work together. However, in the Grsecurity documentation two options are mentioned, namely:

GRKERNSEC_CONFIG_VIRT_HOST

Choose this option if this kernel will be run as a VM host.

and

GRKERNSEC_CONFIG_VIRT_VIRTUALBOX

Choose this option if this kernel is running as a VirtualBox guest or host.

Both options are not used in the linux-grsec package, and they aren't available via sysctl, either.

Before compiling my own grsec kernel with those options I would like to ask if someone else has tried them and can confirm that Virtualbox works, indeed.

If yes, I wonder why those options are not chosen by default in the linux-grsec package considering that Virtualbox is used rather often.

Thanks in advance!

Last edited by adventurer (2015-05-29 12:44:21)

Aldaris

Member

Registered: 2013-06-06

Posts: 9

Re: linux-grsec and Virtualbox compatibility with the right options?

I found this most helpful. It especially describes the effects of the options and points out which ones must be deactivated for VirtualBox to work and which ones only have a performance impact. Although I am using linux-grsec-lts instead of linux-grsec, I can at least confirm that VirtualBox works on the former (with a custom config file that is).

Curiously the automatic grsec configuration does not produce a kernel that is able to run VirtualBox, even if you configure the kernel for use on a system that is used as a VirtualBox host. Apparently it has to be done manually.

archtom

Member

Registered: 2011-05-04

Posts: 58

Re: linux-grsec and Virtualbox compatibility with the right options?

Hey, I put a lot of time in this and got to work a lot of stuff with linux-grsec in a virtualbox guest (latest vbox on osx host).

In the following I´ll describe the steps I took. hopefully it helps anyone. Perhaps I didn`t do some things the right way so I´m open for any suggestion.

The only thing not working for me is mounting a shared folder. I filed a bug report for that and you can follow it here:
https://bugs.archlinux.org/task/45119#comment135841

# preparation
1   Before you start make sure you downgrade your gcc to the latest 4.9.2-4 or the modules will not bulid later on. I filed a bug report on that and the kernel will be rebuilt against the latest gcc somewhen in the future.
2   Before running the commands disable vboxclient in desktop autostart. In xfce it is found in - appliactions menu - preferences - session and startup.

# installation

yaourt -Sy linux-grsec paxd pax-utils gradm crda linux-grsec-headers virtualbox-guest-utils virtualbox-guest-dkms --noconfirm
yaourt -Rd virtualbox-guest-modules

# integrating new kernel in grub config

grub-mkconfig -o /boot/grub/grub.cfg

# adding some pax exceptions for apps to run properly

echo "" >> /etc/paxd.conf
echo "#more apps" >> /etc/paxd.conf
echo "em /usr/bin/kalu" >> /etc/paxd.conf
echo "em /usr/bin/spacefm" >> /etc/paxd.conf

# configuring crda, edit for your country

sed -i 's|^.*WIRELESS_REGDOM="DE"|WIRELESS_REGDOM="DE"|' /etc/conf.d/wireless-regdom

# enabling and starting services

systemctl enable vboxservice.service
systemctl start vboxservice.service
systemctl enable dkms.service
systemctl start dkms.service

# compiling vbox guest modules for current active kernel

dkms install vboxguest/$(pacman -Q virtualbox-guest-dkms|awk '{print $2}'|sed 's/\-.\+//') -k $(uname -rm|sed 's/\ /\//')

# adding vboxguest hook to mkinitcpio

sed -i '/^HOOKS=/s/"*$/ vboxguest"/' /etc/mkinitcpio.conf

# starting vboxclient functions when starting x

nano /etc/X11/xinit/xinitrc.d/vboxclient.sh
#!/bin/bash
# starting virtualbox client services
sudo /usr/bin/VBoxClient-all

chmod 755 /etc/X11/xinit/xinitrc.d/vboxclient.sh

# allowing every user to run the script without password because linux-grsec only allows running it as root

echo "%users  ALL = NOPASSWD: /usr/bin/VBoxClient-all" >> /etc/sudoers

# reboot

reboot

Perhaps someone can help making this better or getting the shared folder working.

Hope this helps anyone

Last edited by archtom (2015-05-29 09:16:18)

adventurer

Member

Registered: 2014-05-04

Posts: 119

Re: linux-grsec and Virtualbox compatibility with the right options?

I found this most helpful. It especially describes the effects of the options and points out which ones must be deactivated for VirtualBox to work and which ones only have a performance impact. Although I am using linux-grsec-lts instead of linux-grsec, I can at least confirm that VirtualBox works on the former (with a custom config file that is).

Thanks - that's very helpful. I have to carefully look into the link you provided.

Curiously the automatic grsec configuration does not produce a kernel that is able to run VirtualBox, even if you configure the kernel for use on a system that is used as a VirtualBox host. Apparently it has to be done manually.

Yes, that's really a pity. I believe that Virtualbox is installed by a lot of users, and it's a package from the official repositories, after all ...

@archtom: Thanks for your detailed steps - very interesting. However, my problem is running linux-grsec as a host system and Virtualbox as guest. I've edited my first post to make this a bit clearer.

thestinger

Package Maintainer (PM)

From: Toronto, Canada

Registered: 2010-01-23

Posts: 478

Re: linux-grsec and Virtualbox compatibility with the right options?

If there are missing PaX exceptions, please report them here: https://github.com/thestinger/paxd

adventurer

Member

Registered: 2014-05-04

Posts: 119

Re: linux-grsec and Virtualbox compatibility with the right options?

If there are missing PaX exceptions, please report them here: https://github.com/thestinger/paxd

Thanks, Daniel. However, although I haven't had the time to look into my issue a bit closer in the past weeks, I'm pretty sure that I wasn't able to start my Virtualbox guests even with paxd not being installed.

What's your stance about those options in my first post?

Last edited by adventurer (2015-07-29 14:45:29)

adventurer

Member

Registered: 2014-05-04

Posts: 119

Re: linux-grsec and Virtualbox compatibility with the right options?

Okay, I finally compiled my own linux-grsec kernel by adding those two options to the official Arch linux-grsec kernel - but to no avail: Whenever I try to start a Virtualbox guest system my whole system freezes completely. :-(

Last edited by adventurer (2015-07-29 15:47:00)

Aldaris

Member

Registered: 2013-06-06

Posts: 9

Re: linux-grsec and Virtualbox compatibility with the right options?

If I remember correctly, I disabled 3 options in my kernel config:
1. Prevent invalid userland pointer dereference (PAX_MEMORY_UDEREF)
2. Enforce non-executable kernel pages (PAX_KERNEXEC)
3. Randomize kernel stack base (PAX_RANDKSTACK)

There is more that needs to be disabled, but the rest is done by paxd automatically. However, those 3 options cannot be disabled at runtime. They need to be completely disabled in the kernel config.

Again, I am using linux-grsec-lts instead of linux-grsec, but if I did not forget anything, this is how I am able to run VirtualBox on a grsec kernel. All I need to do beyond that is to build the VirtualBox kernel modules with dkms and load them prior to starting VirtualBox.

adventurer

Member

Registered: 2014-05-04

Posts: 119

Re: linux-grsec and Virtualbox compatibility with the right options?

If I remember correctly, I disabled 3 options in my kernel config:
1. Prevent invalid userland pointer dereference (PAX_MEMORY_UDEREF)
2. Enforce non-executable kernel pages (PAX_KERNEXEC)
3. Randomize kernel stack base (PAX_RANDKSTACK)

Thanks, I might try that! However, I'm a bit unsure how much disabling those options weakens the additional security provided by the linux-grsec kernel ...

Last edited by adventurer (2015-08-03 10:43:02)

antimop

Member

Registered: 2016-01-20

Posts: 4

Re: linux-grsec and Virtualbox compatibility with the right options?

If I remember correctly, I disabled 3 options in my kernel config:
1. Prevent invalid userland pointer dereference (PAX_MEMORY_UDEREF)
2. Enforce non-executable kernel pages (PAX_KERNEXEC)
3. Randomize kernel stack base (PAX_RANDKSTACK)

There is more that needs to be disabled, but the rest is done by paxd automatically. However, those 3 options cannot be disabled at runtime. They need to be completely disabled in the kernel config.

Again, I am using linux-grsec-lts instead of linux-grsec, but if I did not forget anything, this is how I am able to run VirtualBox on a grsec kernel. All I need to do beyond that is to build the VirtualBox kernel modules with dkms and load them prior to starting VirtualBox.

Can you explain how to disable these? Is this something you can do in /etc/sysctl.d/05-grsecurity.conf?

Aldaris

Member

Registered: 2013-06-06

Posts: 9

Re: linux-grsec and Virtualbox compatibility with the right options?

Can you explain how to disable these? Is this something you can do in /etc/sysctl.d/05-grsecurity.conf?

No, these are kernel config options. They must be set when compiling the kernel.

You can build your own linux-grsec package using the Arch Build System. You need to replace the config file (config for i686 or config.x86_64) before running makepkg.

Actually, I got tired compiling a new kernel on every update, especially since linux-grsec-lts does not exists anymore and linux-grsec is updated much more often. I recommend using qemu with kvm.

Last edited by Aldaris (2016-01-27 22:05:16)