[OpenWrt-Devel] OpenWRT and grsecurity experiments and ponderings

Andrew McDonnell bugs at andrewmcdonnell.net
Fri Dec 5 08:08:37 EST 2014


Hi all

noticing that CC may be coming at some point, and whilst recently taking the 
latest turunk for a spin, I noticed that the kernel 3.14.25 matched the 
current grsecurity patch (which is in long term support against 3.14) so I 
thought I'd see what it would take to apply it to OpenWRT.

It turned out to be easier than I'd hoped - although I've only tested it 
against ar71xx and the carambola2 specifically.

The best way turned out to be to apply it after all the openwrt patches, then 
I had to fix about four rejects and some quirks introduced by other OpenWRT 
patches, the biggest challenge being something that OpenWRT does for MIPS in 
the module loading code needing to be fixed to work with grsec changes. The 
other main one is that compat wireless ath9k driver uses a macro that needs to 
be changed for grsec. Thereafter I was able to get my board to run with a 
-grsec kernel with the following caveats:

* because OpenWRT turns off kernel MODVERSIONs, grsecurity requires RANDSTRUCT 
turned off

* my particular config uncovered that openssl doesnt build with NX for mips 
and programs libcrypto.so were actually intercepted by grsec! So I had to fix 
that by adding a gnu-stack patch to several assembler-(generating) files

So far I have managed to test the following features of grsec with success:

* mount auditing
* time change auditing
* NX protection on MIPS (which doesnt have h/w support on my SOC)

I'll end up pushing my modified OpenWRT build to github soonish

This did the job for me, but I figured it was worth sharing as the buzzword 
"Internet of Things" looms large and openwrt is increasing adoption on 
products such as the vocore and wrtnode...

I wonder what people feel the priority might be to get this tidied up and 
integrated into the main openwrt - or would it be infeasible to properly test 
and support?
Noting that there will likely be other packages that I dont currently use that 
could  need NX fixing on MIPS for starters, so wider implementation would 
depend on the priorities of other users of different packages.

There is also the risk is that mixing the openwrt package suite with grsec may 
introduce inadvertent security holes - my changes "seem" OK but I havent yet 
done the deep research to know for sure. This can be mitigated by making an 
GRSEC config option optional with a big warning in menuconfig for those who 
want to do their own diligence. Perhaps the option in the config would also 
only be enabled for a limited subset of boards where people have made the 
effort to patch & test, as an 'experimental' feature.



ar7240> bootm
## Booting image at 83000000 ...
    Image Name:   MIPS OpenWrt Linux-3.14.25
    Created:      2014-12-04  13:48:17 UTC
    Image Type:   MIPS Linux Kernel Image (lzma compressed)
    Data Size:    4796179 Bytes =  4.6 MB
    Load Address: 80060000
    Entry Point:  80060000
    Verifying Checksum at 0x83000040 ...OK
    Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Linux version 3.14.25-grsec (andrew at atlantis4) (gcc version 
4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r43488) ) #6 Fri Dec 5 00:17:55 ACDT 2014
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] SoC: Atheros AR9330 rev 1
...
[   21.562499] grsec: mount of devpts to /dev/pts by /sbin/procd[procd:1] 
uid/euid:0/0 gid/egid:0/0, parent /[swapper:0] uid/euid:0/0 gid/egid:0/0
...
[   26.583332] grsec: time set by /bin/busybox[date:665] uid/euid:0/0 
gid/egid:0/0, parent /etc/init.d/system[S10system:660] uid/euid:0/0 gid/egid:0/0
...
root at OpenWrt:/sbin# opkg search /wbin/wget2nand
[  306.541661] grsec: denied marking stack executable as requested by 
PT_GNU_STACK marking in /usr/lib/libcrypto.so.1.0.0 by /bin/opkg[opkg:1040] 
uid/euid:0/0 gid/egid:0/0, parent /bin/bus0


--A

-- 
http://blog.oldcomputerjunk.net
https://au.linkedin.com/in/amcdonnell
https://launchpad.net/~andymc73
https://github.com/andymc73
Twitter: @pastcompute
GPG: http://www.andrewmcdonnell.net/gpg.html
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list