planet echoes

May 21, 2015

Corsac.net − Echoes

Followup on Debian grsec kernels for Jessie

So, following the previous post, I've indeed updated the way I'm making my grsec kernels.

I wanted to upgrade my server to Jessie, and didn't want to keep the 3.2 kernel indefinitely, so I had to update to at least 3.14, and find something to make my life (and maybe some others) easier.

In the end, like planned, I've switched to the make deb-pkg way, using some scripts here and there to simplify stuff.

The scripts and configs can be found in my debian-grsec-config repository. The repository layout is pretty much self-explaining:

The bin/ folder contains two scripts:

  • get-grsec.sh, which will pick the latest grsec patch (for each branch) and applies it to the correct Linux branch. This script should be run from a git clone of the linux-stable git repository;
  • kconfig.py is taken from the src:linux Debian package, and can be used to merge multiple KConfig files

The configs/ folder contains the various configuration bits:

  • config-* files are the Debian configuration files, taken from the linux-image binary packages (for amd64 and i386);
  • grsec* are the grsecurity specifics bits (obviously);
  • hardening* contain non-grsec stuff still useful for hardened kernels, for example KASLR (cargo-culting nonwidthstanding) or strong SSP (available since I'm building the kernels on a sid box, YMMV).

I'm currently building amd64 kernels for Jessie and i386 kernels will follow soon, using config-3.14 + hardening + grsec. I'm hosting them on my apt repository. You're obviously free to use them, but considering how easy it is to rebuild a kernel, you might want to use a personal configuration (instead of mine) and rebuild the kernel yourself, so you don't have to trust my binary packages.

Here's a very quick howto (adapt it to your needs):

mkdir linux-grsec && cd linux-grsec
git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
git clone git://anonscm.debian.org/users/corsac/grsec/debian-grsec-config.git
mkdir build
cd linux-stable
../debian-grsec-config/bin/get-grsec.sh stable2 # for 3.14 branch
../debian-grsec-config/bin/kconfig.py ../build/.config ../debian-grsec-config/configs/config-3.14-2-amd64 ../debian-grsec-config/configs/hardening ../debian-grsec-config/configs/grsec
make KBUILD_OUTPUT=../build -j4 oldconfig
make KBUILD_OUTPUT=../build -j4 deb-pkg

Then you can use the generated Debian binary packages. If you use the Debian config, it'll need a lot of disk space for compilation and generate a huge linux-image debug package, so you might want to unset CONFIG_DEBUG_INFO locally if you're not interested. Right now only the deb files are generated but I've submitted a patch to have a .changes file which can be then used to manipulate them more easily (for example for uploading them a local Debian repository).

Note that, obviously, this is not targeted for inclusion to the official Debian archive. This is still not possible for various reasons explained here and there, and I still don't have a solution for that.

I hope this (either the scripts and config or the generated binary packages) can be useful. Don't hesitate to drop me a mail if needed.

by Yves-Alexis (corsac@debian.org) at May 21, 2015 08:36 PM

May 09, 2015

Corsac.net − Echoes

Xfce 4.12 in Debian sid

So, following the Jessie release, and after a quick approval by the release team for the 4.12 transition, we've uploaded Xfce 4.12 to sid and have asked the RT to schedule the relevant binNMUs for the libxfce4util and xfce4-panel reverse dependencies.

It went apparently well (besides some hickups here and there, lilke some lag on sparc, and some build-failulres on hurd). So Xfce 4.12 is now in sid, and should migrate to Stretch in the following weeks, provided nothing release critical is found.

by Yves-Alexis (corsac@debian.org) at May 09, 2015 07:05 PM

March 30, 2015

Corsac.net − Echoes

3.2.68 Debian/grsec kernel and update on the process

It's been a long time since I updated my repository with a recent kernel version, sorry for that. This is now done, the kernel (sources, i386 and amd64) is based on the (yet unreleased) 3.2.68-1 Debian kernel, patched with grsecurity 3.1-3.2.68-201503251805, and has the version 3.2.68-1~grsec1.

It works fine here, but as always, no warranty. If any problem occurs, try to reproduce using vanilla 3.2.68 + grsec patch before reporting here.

And now that Jessie release approaches, the question of what to do with those Debian/grsec kernel still arrise: the Jessie kernel is based on the 3.16 branch, which is not a (kernel.org) long term branch. Actually, the support already ended some times ago, and the (long term) maintainance is now assured by the Canonical Kernel Team (thus the -ckt suffix) with some help from the Debian kernel maintainers. So there's no Grsecurity patch following 3.16, and there's no easy way to forward-port the 3.14 patches.

At that point, and considering the support I got the last few years on this initiative, I don't think it's really worth it to continue providing those kernels.

One initiative which might be interesting, though, is the Mempo kernels. The Mempo team works on kernel reproducible builds, but they also include the grsecurity patch. Unfortunately, it seems that building the kernel their way involves calling a bash script which calls another one, and another one. A quick look at the various repositories is only enough to confuse me about how actually they build the kernel, in the end, so I'm unsure it's the perfect fit for a supposedly secure kernel. Not that the Debian way of building the kernel doesn't involves calling a lot of scripts (either bash or python), but still. After digging a bit, it seems that they're using make-kpkg (from the kernel-package package), which is not the recommended way anymore. Also, they're currently targeting Wheezy, so the 3.2 kernel, and I have no idea what they'll chose for Jessie.

In the end, for myself, I might just do a quick script which takes a git repository at the right version, pick the latest grsec patch for that branch, applies it, then run make deb-pkg and be done with it. That still leaves the problem of which branch to follow:

  • run a 3.14 kernel instead of the 3.16 (I'm unsure how much I'd lose / not gain from going to 3.2 to 3.14 instead of 3.16);
  • run a 3.19 kernel, then upgrade when it's time, until a new LTS branch appears.

There's also the config file question, but if I'm just using the kernels for myself and not sharing them, it's also easier, although if some people are actually interested it's not hard to publish them.

by Yves-Alexis (corsac@debian.org) at March 30, 2015 08:27 PM

March 25, 2015

Corsac.net − Echoes

LXCs upgrade to Jessie

So I started migrating some of my LXCs to Jessie, to test the migration in advance. The upgrade itself was easy (the LXC is mostly empty and only runs radicale), but after the upgrade I couldn't login anymore (using lxc-console since I don't have lxc-attach, the host is on Wheezy). So this is mostly a note to self.

auth.log was showing:

Mar 25 22:10:13 lxc-sync login[1033]: pam_loginuid(login:session): Cannot open /proc/self/loginuid: Read-only file system
Mar 25 22:10:13 lxc-sync login[1033]: pam_loginuid(login:session): set_loginuid failed
Mar 25 22:10:13 lxc-sync login[1033]: pam_unix(login:session): session opened for user root by LOGIN(uid=0)
Mar 25 22:10:13 lxc-sync login[1033]: Cannot make/remove an entry for the specified session

The last message isn't too useful, but the first one gave the answer. Since LXC isn't really ready for security stuff, I have some hardening on top of that, and one measure is to not have rw access to /proc. I don't really need pam_loginuid there, so I just disabled that. I just need to remember to do that after each LXC upgrade.

Other than that, I have to boot using SystemV init, since apparently systemd doesn't cope too well with the various restrictions I enforce on my LXCs:

lxc-start -n sync
Failed to mount sysfs at /sys: Operation not permitted

(which is expected, since I drop CAP_SYS_ADMIN from my LXCs). I didn't yet investigate how to stop systemd doing that, so for now I'm falling back to SystemV init until I find the correct customization:

lxc-start -n sync /lib/sysvinit/init   
INIT: version 2.88 booting
[info] Using makefile-style concurrent boot in runlevel S.
hostname: you must be root to change the host name
mount: permission denied
mount: permission denied
[FAIL] udev requires a mounted sysfs, not started ... failed!
 failed!
mount: permission denied
[info] Setting the system clock.
hwclock: Cannot access the Hardware Clock via any known method.
hwclock: Use the --debug option to see the details of our search for an access method.
[warn] Unable to set System Clock to: Wed Mar 25 21:21:43 UTC 2015 ... (warning).
[ ok ] Activating swap...done.
mount: permission denied
mount: permission denied
mount: permission denied
mount: permission denied
[ ok ] Activating lvm and md swap...done.
[....] Checking file systems...fsck from util-linux 2.25.2
done.
[ ok ] Cleaning up temporary files... /tmp.
[ ok ] Mounting local filesystems...done.
[ ok ] Activating swapfile swap...done.
mount: permission denied
mount: permission denied
[ ok ] Cleaning up temporary files....
[ ok ] Setting kernel variables ...done.
[....] Configuring network interfaces...RTNETLINK answers: Operation not permitted
Failed to bring up lo.
done.
[ ok ] Cleaning up temporary files....
[FAIL] startpar: service(s) returned failure: hostname.sh udev ... failed!
INIT: Entering runlevel: 2
[info] Using makefile-style concurrent boot in runlevel 2.
dmesg: read kernel buffer failed: Operation not permitted
[ ok ] Starting Radicale CalDAV server : radicale.
Yes, there are a lot of errors, but they seem to be handled just fine.

by Yves-Alexis (corsac@debian.org) at March 25, 2015 09:26 PM

March 14, 2015

Corsac.net − Echoes

ThinkPad X250

So, I also got myself a new toy. My current ThinkPad is a bit ancient, but still sturdy. It's an X201s from 2010 (brought refurbished), and it's still working pretty fine, but eh, I couldn't resist.

The X230 was nice, but didn't have a large resolution screen (1366×768). The X240 brought a full HD (1920×1080) IPS screen, but lost the hardware trackpoint buttons. Finally, the X250 brings back the buttons, still have a nice screen (not qHD or some other trendy resolutions, but still FHD and IPS). And on top of that, it comes with Broadwell, so that means I get smap.

It runs mostly fine out of the box on Debian sid, but for full support some tuning is needed. I've setup a page with more information on the laptop, and some images can be found over there.

by Yves-Alexis (corsac@debian.org) at March 14, 2015 03:59 PM

January 19, 2015

Satanic Kitten

La Bombe Humaine

Ce matin,
Le Loukoum se réveille
descend par le toboggan
va s'assoir sur le canapé
à coté de son père qui donnait le biberon à son petit frère
sans un mot, avec sa tête des mauvais jours
et là
Il se met à pleurer d'un coup super fort
PAPA ARRETE DE ME REGAAAAAAARDER
PAPA ME REGAAAAAARDE PAAAAAAAS
Et son père qui me dit avec des yeux grands comme des soucoupes
Mais j'ai rien fait !! Je l'ai même pas regardé !
Ca a duré dix minutes, du coup, je l'ai repris sous le bras, je l'ai collé dans sa chambre
en lui disant, tu redescends quand tu es calmé
Il a hurlé pendant 20 minutes dans sa chambre
MAAAAAIS JE SUIS CAAAAAALMÉ
JE SUIS CALMEEEEEEE MAMAMAAAAAAAAN
Et au bout d'un moment
le silence
le bruit d'une porte
de petit pas
et Le Loukoum apparait rouge
le visage bouffi de larmes
"Ze peux avoir mon biberon ? Ze suis trop fatigué là"

Tout va bien.
Tout est normal.

by Saki at January 19, 2015 04:12 PM

January 03, 2015

Corsac.net − Echoes

Blues Bar-b-q

Alors c'est testé et validé : le Blues Bar-b-q, dans le 11ème (M. Bréguet Sabin). Petit restau texan, tenu par une texane (du coup il parait nettement plus naturel de parler anglais).

Les usual suspects de la cuisine sud états-uniennes : cornbread, bbq beef brisket, ribs, plus quelques découvertes (les Outlaw Chili Cheese Fries). Une sauce barbecue qui déchire, un beef brisket hyper tendre. Sans oublier les desserts : leur cheesecake est le plus dense que je connaisse (à part peut être celui de Marie) et la southern pecan pie déchire bien aussi.

Enfin du personnel adorable, de la tenancière au cuistot en passant par la serveuse (dont c'était le premier jour). Et de la musique du coin aussi, histoire d'accompagner. Bref, que du bon, allez-y.

by Corsac (corsac@corsac.net) at January 03, 2015 08:52 PM

December 21, 2014

Corsac.net − Echoes

November 26, 2014

Corsac.net − Echoes

September 29, 2014

Corsac.net − Echoes

Thanks

So, sometimes, you had a somehow rough day, it's raining and you're tired.

And then, in your mailbox, out of the blue, there's a “thank you” mail.

That really enlightens the day…

by Corsac (corsac@corsac.net) at September 29, 2014 07:16 PM

August 28, 2014

Satanic Kitten

Vie de quartier

Les squatteurs sont livrés avec une option voisine du fond de la rue qui vient se plaindre desdits squatteurs tous les soirs à la même heure pendant une heure.
Normalement, vu la sociabilité de mon cher époux, c'est moi qui la gère mais ce soir je n'ai pas eu le courage.
De ce j'entends, elle a attrapé des microbes de la leucémie à cause d'eux et ils mangent des chats.

by Saki at August 28, 2014 05:18 PM

August 27, 2014

Satanic Kitten

Toujours en direct du Loukoum

L'enfant est totalement silencieux depuis 5 minutes.
Tout parent sait que le silence est annonciateur de catastrophe, en ce moment ça veut dire qu'il a encore fait dans sa culotte et qu'il se cache, me laissant le double plaisir de le chercher - il me laisse des indices sur le sol si vous voyez ce que je veux dire - et de localiser l'endroit du crime - souvent à l'opposé de sa cachette, son aide est - pardonnez moi ce jeu de mot fort à propos - à chier, à la question où, il me répond là bas ce qui veut dire à la fois la pièce à côté ou la lune.
Mais là, il n'a pas fait dans sa culotte.
Non.
Je le retrouve à poil dans la salle de bains avec mon tiroir à maquillage en l'air.
"Regarde Maman", me dit-il avec grand sourire, "ze me maquille le zizi."

by Saki at August 27, 2014 09:43 AM

August 25, 2014

Satanic Kitten

En direct du Loukoum

Quand l'enfant pique une crise pour aller jouer au ballon dehors,
que tu lui dit que non, en ouvrant la porte fenêtre pour lui montrer qu'il pleut des cordes,
et qu'il se fout à poil en argumentant qu'il va prendre sa douche en même temps, du coup.

by Saki at August 25, 2014 04:15 PM

August 24, 2014

Satanic Kitten

Na

A table, ce midi, Numéro Un & Numéro Deux se sont offert vingt minutes de fou rire hystérique incontrôlable en apprenant que pomme de terre en espagnol se disait patata.
Et le pire, c'est que c'était contagieux.

by Saki at August 24, 2014 11:28 AM

August 21, 2014

Satanic Kitten

Et en plus, la salle d'attente est toute petite

Jour 2 - Salle d'attente.
Voir une maman gérer péniblement ses 3 loulous.
Se réjouir d'avoir réussi à refourguer tous les miens à la plus chouette des baby-sitters.
Retourner à mon bouquin, avec un petit soupir de plaisir.

by Saki at August 21, 2014 03:46 PM

Pendant ce temps là

Jour 2 - Jusqu'ici tout va bien.
Numéro Un & Deux regardent un dessin animé - oui, jetez moi des pierres - et Numéro Trois s'est miraculeusement endormi après son biberon du matin.
Je peux boire mon café devant mon ordinateur, en savourant ce moment de paix.
Et j'attends le retour de bâton karmique.

by Saki at August 21, 2014 07:33 AM

August 20, 2014

Satanic Kitten

Ça va chier

De retour à la maison, me voici face à deux semaines seule en journée avec les enfants.
Leur père, futé, est retourné bosser.
Au bout d'un presque jour, j'ai envie de reprendre le travail en avance.
Pourtant, je triche, j'ai trouvé des baby-sitters pour pouvoir gérer les rendez-vous des uns sans embarquer les autres...
Mais là, aujourd'hui, alors que je pensais tenir le bon bout niveau apprentissage de la propreté, Numéro Deux - qui est sensé aller à l'école dans deux semaines - m'a fait six accidents.
SIX.
Je suis pourtant devenue une experte pour reconnaitre ses mimiques annonciatrices...
Je le chope par dessous les bras, et je sprinte vers les toilettes les plus proches.
Mais je doute fortement que sa future maitresse utilise cette super technique.

by Saki at August 20, 2014 01:31 PM

August 14, 2014

Satanic Kitten

Argument

Se retrouver d'office la baby-sitter de service parce que "Bah, y en a 3 dans le tas qui sont à toi !"
C'est aussi ça, la joie des vacances en famille.

by Saki at August 14, 2014 09:33 AM

August 07, 2014

Satanic Kitten

June 29, 2014

Satanic Kitten

A poil

Faire la danse des Tous Nus sur Another One bites the Dust dans la salle de bains, ça rattrape toutes les nuits blanches.
Ou presque.

by Saki at June 29, 2014 07:42 AM