grsecurity 3.0 for Debian
There’s a new grsecurity enabled kernel for our beloved debian stable 7 (wheezy) that is ready to be installed!
In my repositories you can find grsecurity version 3.0-201404131252 applied to the stable linux kernel release 3.2.57.
There are a couple of noteworthy changes:
– CONFIG_SECCOMP_FILTER: enables tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices;
– CONFIG_GRKERNSEC_HARDEN_IPC: disallow access to overly-permissive IPC objects (shared memory, message queues, and semaphores) will be denied for processes given the following criteria beyond normal permission checks: if the IPC object is world-accessible and the euid / egid doesn’t match that of the creator or current uid /gid for the IPC object.
I only had an issue with vsftpd (a modified FTP server integrating a clamav patch which really needs some improvement… anyone?) due to the seccomp filter and I had to disable it in the vsftpd configuration file.
A comparison with the previous kernel configuration can be viewed in the websvn section.
Along with the new kernel there’s also a new version of gradm, the userland tool, updated to 3.0-201401291757.
Gradm has been updated from version 2 to version 3 so you have to uninstall the previous version before installing the new one.
If you have already configured my wheezy repository then type these commands:
apt-get update apt-get install linux-image-3.2.57.1-grsec gradm3
If you don’t want to use the regular repository just download manually the packages you need.
Please feel free to report any issue or let me know if everything went smoothly.