You are not logged in.
As discussed in other threads here, linux-grsec as host and Virtualbox as guest don't work together. However, in the Grsecurity documentation two options are mentioned, namely:
GRKERNSEC_CONFIG_VIRT_HOST
Choose this option if this kernel will be run as a VM host.
and
GRKERNSEC_CONFIG_VIRT_VIRTUALBOX
Choose this option if this kernel is running as a VirtualBox guest or host.
Both options are not used in the linux-grsec package, and they aren't available via sysctl, either.
Before compiling my own grsec kernel with those options I would like to ask if someone else has tried them and can confirm that Virtualbox works, indeed.
If yes, I wonder why those options are not chosen by default in the linux-grsec package considering that Virtualbox is used rather often.
Thanks in advance!
Last edited by adventurer (2015-05-29 12:44:21)
Offline
I found this most helpful. It especially describes the effects of the options and points out which ones must be deactivated for VirtualBox to work and which ones only have a performance impact. Although I am using linux-grsec-lts instead of linux-grsec, I can at least confirm that VirtualBox works on the former (with a custom config file that is).
Curiously the automatic grsec configuration does not produce a kernel that is able to run VirtualBox, even if you configure the kernel for use on a system that is used as a VirtualBox host. Apparently it has to be done manually.
Offline
Hey, I put a lot of time in this and got to work a lot of stuff with linux-grsec in a virtualbox guest (latest vbox on osx host).
In the following I´ll describe the steps I took. hopefully it helps anyone. Perhaps I didn`t do some things the right way so I´m open for any suggestion.
The only thing not working for me is mounting a shared folder. I filed a bug report for that and you can follow it here:
https://bugs.archlinux.org/task/45119#comment135841
# preparation
1 Before you start make sure you downgrade your gcc to the latest 4.9.2-4 or the modules will not bulid later on. I filed a bug report on that and the kernel will be rebuilt against the latest gcc somewhen in the future.
2 Before running the commands disable vboxclient in desktop autostart. In xfce it is found in - appliactions menu - preferences - session and startup.
# installation
yaourt -Sy linux-grsec paxd pax-utils gradm crda linux-grsec-headers virtualbox-guest-utils virtualbox-guest-dkms --noconfirm
yaourt -Rd virtualbox-guest-modules
# integrating new kernel in grub config
grub-mkconfig -o /boot/grub/grub.cfg
# adding some pax exceptions for apps to run properly
echo "" >> /etc/paxd.conf
echo "#more apps" >> /etc/paxd.conf
echo "em /usr/bin/kalu" >> /etc/paxd.conf
echo "em /usr/bin/spacefm" >> /etc/paxd.conf
# configuring crda, edit for your country
sed -i 's|^.*WIRELESS_REGDOM="DE"|WIRELESS_REGDOM="DE"|' /etc/conf.d/wireless-regdom
# enabling and starting services
systemctl enable vboxservice.service
systemctl start vboxservice.service
systemctl enable dkms.service
systemctl start dkms.service
# compiling vbox guest modules for current active kernel
dkms install vboxguest/$(pacman -Q virtualbox-guest-dkms|awk '{print $2}'|sed 's/\-.\+//') -k $(uname -rm|sed 's/\ /\//')
# adding vboxguest hook to mkinitcpio
sed -i '/^HOOKS=/s/"*$/ vboxguest"/' /etc/mkinitcpio.conf
# starting vboxclient functions when starting x
nano /etc/X11/xinit/xinitrc.d/vboxclient.sh
#!/bin/bash
# starting virtualbox client services
sudo /usr/bin/VBoxClient-all
chmod 755 /etc/X11/xinit/xinitrc.d/vboxclient.sh
# allowing every user to run the script without password because linux-grsec only allows running it as root
echo "%users ALL = NOPASSWD: /usr/bin/VBoxClient-all" >> /etc/sudoers
# reboot
reboot
Perhaps someone can help making this better or getting the shared folder working.
Hope this helps anyone
Last edited by archtom (2015-05-29 09:16:18)
Offline
I found this most helpful. It especially describes the effects of the options and points out which ones must be deactivated for VirtualBox to work and which ones only have a performance impact. Although I am using linux-grsec-lts instead of linux-grsec, I can at least confirm that VirtualBox works on the former (with a custom config file that is).
Thanks - that's very helpful. I have to carefully look into the link you provided.
Curiously the automatic grsec configuration does not produce a kernel that is able to run VirtualBox, even if you configure the kernel for use on a system that is used as a VirtualBox host. Apparently it has to be done manually.
Yes, that's really a pity. I believe that Virtualbox is installed by a lot of users, and it's a package from the official repositories, after all ...
@archtom: Thanks for your detailed steps - very interesting. However, my problem is running linux-grsec as a host system and Virtualbox as guest. I've edited my first post to make this a bit clearer.
Offline
If there are missing PaX exceptions, please report them here: https://github.com/thestinger/paxd
Offline
If there are missing PaX exceptions, please report them here: https://github.com/thestinger/paxd
Thanks, Daniel. However, although I haven't had the time to look into my issue a bit closer in the past weeks, I'm pretty sure that I wasn't able to start my Virtualbox guests even with paxd not being installed.
What's your stance about those options in my first post?
Last edited by adventurer (2015-07-29 14:45:29)
Offline
Okay, I finally compiled my own linux-grsec kernel by adding those two options to the official Arch linux-grsec kernel - but to no avail: Whenever I try to start a Virtualbox guest system my whole system freezes completely. :-(
Last edited by adventurer (2015-07-29 15:47:00)
Offline
If I remember correctly, I disabled 3 options in my kernel config:
1. Prevent invalid userland pointer dereference (PAX_MEMORY_UDEREF)
2. Enforce non-executable kernel pages (PAX_KERNEXEC)
3. Randomize kernel stack base (PAX_RANDKSTACK)
There is more that needs to be disabled, but the rest is done by paxd automatically. However, those 3 options cannot be disabled at runtime. They need to be completely disabled in the kernel config.
Again, I am using linux-grsec-lts instead of linux-grsec, but if I did not forget anything, this is how I am able to run VirtualBox on a grsec kernel. All I need to do beyond that is to build the VirtualBox kernel modules with dkms and load them prior to starting VirtualBox.
Offline
If I remember correctly, I disabled 3 options in my kernel config:
1. Prevent invalid userland pointer dereference (PAX_MEMORY_UDEREF)
2. Enforce non-executable kernel pages (PAX_KERNEXEC)
3. Randomize kernel stack base (PAX_RANDKSTACK)
Thanks, I might try that! However, I'm a bit unsure how much disabling those options weakens the additional security provided by the linux-grsec kernel ...
Last edited by adventurer (2015-08-03 10:43:02)
Offline
If I remember correctly, I disabled 3 options in my kernel config:
1. Prevent invalid userland pointer dereference (PAX_MEMORY_UDEREF)
2. Enforce non-executable kernel pages (PAX_KERNEXEC)
3. Randomize kernel stack base (PAX_RANDKSTACK)There is more that needs to be disabled, but the rest is done by paxd automatically. However, those 3 options cannot be disabled at runtime. They need to be completely disabled in the kernel config.
Again, I am using linux-grsec-lts instead of linux-grsec, but if I did not forget anything, this is how I am able to run VirtualBox on a grsec kernel. All I need to do beyond that is to build the VirtualBox kernel modules with dkms and load them prior to starting VirtualBox.
Can you explain how to disable these? Is this something you can do in /etc/sysctl.d/05-grsecurity.conf?
Offline
Can you explain how to disable these? Is this something you can do in /etc/sysctl.d/05-grsecurity.conf?
No, these are kernel config options. They must be set when compiling the kernel.
You can build your own linux-grsec package using the Arch Build System. You need to replace the config file (config for i686 or config.x86_64) before running makepkg.
Actually, I got tired compiling a new kernel on every update, especially since linux-grsec-lts does not exists anymore and linux-grsec is updated much more often. I recommend using qemu with kvm.
Last edited by Aldaris (2016-01-27 22:05:16)
Offline