Tue 18 Apr 2017 08:48:40 PM -03

grsecurity

Basic install:

sudo apt-get -t jessie-backports install linux-image-4.9.0-2-grsec-amd64 linux-image-grsec-amd64
sudo apt-get install paxtest
sudo usermod -aG grsec-tpe `whoami`

As root:

echo "kernel.grsecurity.rwxmap_logging = 0" > /etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf 
echo "kernel.grsecurity.grsec_lock = 1"     > /etc/sysctl.d/kernel.grsecurity.grsec_lock.conf

As regular user, after reboot:

paxctl -cm /usr/bin/git-annex
paxctl -cm /usr/bin/qemu-img
paxctl -cm /usr/bin/qemu-system-x86_64

Further research

LXC unprivileged containers for GUI applications:

References

  • https://micahflee.com/2016/01/debian-grsecurity/
  • https://nixaid.com/grsec-in-docker/
  • https://hardenedlinux.github.io/
  • https://packages.debian.org/stretch/bubblewrap
  • https://packages.debian.org/stretch/runc
  • https://github.com/projectatomic/bubblewrap
  • https://github.com/opencontainers/runc
  • https://github.com/thestinger/playpen
  • https://github.com/omegaup/minijail