grsecurity 3.0 for Debian

There’s a new grsecurity enabled kernel for our beloved debian stable 7 (wheezy) that is ready to be installed!
In my repositories you can find grsecurity version 3.0-201404131252 applied to the stable linux kernel release 3.2.57.
There are a couple of noteworthy changes:
CONFIG_SECCOMP_FILTER: enables tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices;
CONFIG_GRKERNSEC_HARDEN_IPC: disallow access to overly-permissive IPC objects (shared memory, message queues, and semaphores) will be denied for processes given the following criteria beyond normal permission checks: if the IPC object is world-accessible and the euid / egid doesn’t match that of the creator or current uid /gid for the IPC object.
I only had an issue with vsftpd (a modified FTP server integrating a clamav patch which really needs some improvement… anyone?) due to the seccomp filter and I had to disable it in the vsftpd configuration file.
A comparison with the previous kernel configuration can be viewed in the websvn section.
Along with the new kernel there’s also a new version of gradm, the userland tool, updated to 3.0-201401291757.
Gradm has been updated from version 2 to version 3 so you have to uninstall the previous version before installing the new one.
If you have already configured my wheezy repository then type these commands:

apt-get update
apt-get install linux-image- gradm3

If you don’t want to use the regular repository just download manually the packages you need.
Please feel free to report any issue or let me know if everything went smoothly.

This entry was posted on Wednesday, April 16th, 2014 at 8:16 AM and is filed under stuff.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.