Grsecurity Notes

Grsecurity is a set of unrelated security patches for Linux kernel. Each patch deals with a specific aspect of system security, such as prevention of arbitrary code execution and chroot hardening, to name just a few. All these patches put together form an extensive security system integrated directly into the Linux kernel. The system is much easier to use than SELinux or AppArmor. Once installed and configured, the user can forget about it, as it requires little or no maintenance. This makes Grsecurity ideal for desktops.

Firejail is supported on Grsecurity systems. Most of the time, it works exactly the same way it works on regular systems. Curently, –chroot and –overlay command line options are not supported.

We follow Grsecurity development in Debian. Grsecurity is available to Debian users from jessie-backports, testing or sid repositories. The install commands are:

$ sudo apt-get install linux-image-4.4.0-1-grsec-amd64
$ sudo apt-get install linux-headers-4.4.0-1-grsec-amd64

Grsecurity can also be installed manually, the process is described in Grsecurity Wikibook. We keep in our GitHub repository the kernel configuration used in Debian build, and sysctl runtime configuration (/etc/sysctl.d/grsec.conf).

Once started into the new kernel, paxctl utility (sudo apt-get install paxctl) is used to disable MPROTECT on several regular executables, such as Mozilla Firefox. MPROTECT feature in Grsecurity prevents the introduction of new executable code into the task’s address space. In the case of Mozilla Firefox, this interferes with just-in-time compilation technology used by the browser to run JavaScript code:

 
(on Debian systems)
$ sudo paxctl -c /usr/lib/iceweasel/iceweasel
$ sudo paxctl -m /usr/lib/iceweasel/iceweasel
$ sudo paxctl -c /usr/lib/iceweasel/plugin-container
$ sudo paxctl -m /usr/lib/iceweasel/plugin-container
    
(on other Linux systems)
$ sudo paxctl -c /usr/lib/firefox/firefox
$ sudo paxctl -m /usr/lib/firefox/firefox
$ sudo paxctl -c /usr/lib/firefox/plugin-container
$ sudo paxctl -m /usr/lib/firefox/plugin-container