---
In the first place, for the less advanced, virt-install that I attempt to use below, is part of an incomplete deployment of virt-manager package in my Gentoo machine (incomplete because my system in a no-systemd and also no-dbus system, and some functionality, most motable the GUI, does not get installed).
The last attempt, complete stdout:
( Devuan_AndrewM_161110_1645_stdout )
- Code: Select all
$ kvm_Devuan_AndrewM.sh
virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --vcpus=2 --memory 2048 --disk path=/Cmn/kvm/images/devuan-by-andrewm--disk0 --cdrom ~/devuan_jessie_1.0.0-beta_amd64_CD.iso --graphics none --network bridge=br0 --boot kernel=/mnt/cdrom/install.amd/vmlinuz,initrd=/mnt/cdrom/install.amd/initrd.gz,kernel_args='console=ttyS0'
ERROR Error: --network bridge=br0: [Errno 13] Permission denied: '/proc/net/route'
$
and syslog:
( Devuan_AndrewM_161110_1645_messages )
- Code: Select all
Nov 10 16:44:58 g0n kernel: [1223278.318467] grsec: exec of /usr/local/bin/kvm_Devuan_AndrewM.sh (kvm_Devuan_AndrewM.sh ) by /usr/local/bin/kvm_Devuan_AndrewM.sh[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31749] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.319120] grsec: exec of /bin/bash (bash /usr/local/bin/kvm_Devuan_AndrewM.sh ) by /bin/bash[kvm_Devuan_Andr:9620] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:31749] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.321222] grsec: exec of /usr/bin/virt-install (virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --vcpus=2 --memory 2048 --disk path=/) by /usr/bin/virt-install[bash:9621] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.322623] grsec: exec of /usr/share/virt-manager/virt-install (/usr/share/virt-manager/virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --vcpus=2 --m) by /usr/share/virt-manager/virt-install[virt-install:9621] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.323272] grsec: exec of /usr/bin/python2.7 (python2.7 /usr/share/virt-manager/virt-install --virt-type kvm --os-variant=debianwheezy --name=devuan-by-andrewm --cpu=host --v) by /usr/bin/python2.7[virt-install:9621] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:9620] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.554195] grsec: exec of /bin/bash (sh -c LC_ALL=C LANG=C /sbin/ldconfig -p 2>/dev/null ) by /bin/bash[python2.7:9622] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:9621] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:58 g0n kernel: [1223278.556854] grsec: exec of /sbin/ldconfig (/sbin/ldconfig -p ) by /sbin/ldconfig[sh:9623] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[sh:9622] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.819222] grsec: chdir to / by /usr/bin/python2.7[python2.7:9624] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/bin/python2.7[python2.7:9621] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.821065] grsec: exec of /usr/sbin/libvirtd (/usr/sbin/libvirtd --timeout=30 ) by /usr/sbin/libvirtd[python2.7:9625] uid/euid:1000/1000 gid/egid:1000/1000, parent /[python2.7:9624] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.838436] grsec: exec of /bin/kmod (/sbin/modprobe -q -- net-pf-16-proto-9 grsec_modharden_normal1000_ ) by /bin/kmod[kworker/u8:4:9641] uid/euid:0/0 gid/egid:0/0, parent /[kworker/u8:4:9133] uid/euid:0/0 gid/egid:0/0
Nov 10 16:44:59 g0n libvirtd: SQL engine 'mysql' not supported
Nov 10 16:44:59 g0n libvirtd: auxpropfunc error no mechanism available
Nov 10 16:44:59 g0n libvirtd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
Nov 10 16:44:59 g0n kernel: [1223278.842533] grsec: exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --version ) by /usr/sbin/dnsmasq[libvirtd:9643] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/libvirtd[libvirtd:9642] uid/euid:1000/1000 gid/egid:1000/1000
Nov 10 16:44:59 g0n kernel: [1223278.844900] grsec: exec of /usr/sbin/dnsmasq (/usr/sbin/dnsmasq --help ) by /usr/sbin/dnsmasq[libvirtd:9644] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/libvirtd[libvirtd:9642] uid/euid:1000/1000 gid/egid:1000/1000
I may also show later the attempt with GRADM enabled (it always end in a Segmentation fault, for short). But this attempt is with GRADM disabled.
And there's no way to surpass the last hurdle, represented by the:
- Code: Select all
ERROR Error: --network bridge=br0: [Errno 13] Permission denied: '/proc/net/route'
in the stdout above...
I do have:
- Code: Select all
# grep GRKERNSEC_PROC .config
CONFIG_GRKERNSEC_PROC_GID=10
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_PROC=y
CONFIG_GRKERNSEC_PROC_USER=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
#
in my:
- Code: Select all
# uname -r
4.4.8-hardened-r1-161027_11
#
( and I may try later with the latest kernel --why that old kernel can be read in this bug:
=sys-kernel/hardened-sources-4.7.6: Kernel panic when starting KVM guests
https://bugs.gentoo.org/show_bug.cgi?id=597554
)
So CONFIG_GRKERNSEC_PROC_GID=10 having been like this:
# cat /etc/group | grep -E '\<10\>'
- Code: Select all
wheel:x:10:root
and the stdout and the syslog above are both after I changed it to:
- Code: Select all
wheel:x:10:root,qemu,miro
( by issuing
- Code: Select all
# usermod -a -G wheel qemu
# usermod -a -G wheel miro
BTW also adding root to kvm group didn't help, with:
- Code: Select all
# usermod -a -G kvm root
)
I'm running virt-install command from terminal, actually I'm running this command from /usr/local/bin since I have the TPE on:
- Code: Select all
# cat /usr/local/bin/kvm_Devuan_AndrewM.sh
#!/usr/bin/env bash
# Script used to install VMs.
# You have to lvcreate the disk(s) first!
# lvcreate -L sizeG -n $name vg0
dummy() {
k###
# uname -a
Linux kvm-affinity-devuan-a 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u1 (2016-09-03) x86_64 GNU/Linux
# vgs
VG #PV #LV #SN Attr VSize VFree
vg0 1 2 0 wz--n- 232.48g 213.85g
# lvcreate -L 12G -n devuan-by-andrewm--disk0 vg0
Logical volume "devuan-by-andrewm--disk0" created
# ls -lart /dev/mapper/vg0-devuan--by--andrewm----disk0
lrwxrwxrwx 1 root root 7 Sep 30 00:01 /dev/mapper/vg0-devuan--by--andrewm----disk0 -> ../dm-3
# lvdisplay /dev/mapper/vg0-devuan--by--andrewm----disk0
--- Logical volume ---
LV Path /dev/vg0/devuan-by-andrewm--disk0
LV Name devuan-by-andrewm--disk0
VG Name vg0
LV UUID ffN5RP-YNZI-iSkz-PXb1-8o8A-CHh3-LlPIbq
LV Write Access read/write
LV Creation host, time kvm-affinity-devuan-a, 2016-09-30 00:01:22 +1000
LV Status available
# open 0
LV Size 12.00 GiB
Current LE 3072
Segments 1
Allocation inherit
Read ahead sectors auto
- currently set to 256
Block device 253:3
# ls -lart /Cmn/kvm/images/devuan-by-andrewm--disk0
lrwxrwxrwx 1 root root 53 Sep 29 16:56 /Cmn/kvm/images/devuan-by-andrewm--disk0 -> /dev/mapper/vg0-devuan--by--andrewm----disk0
# mkdir /mnt/cdrom && mount -o ro ~miro/devuan_jessie_1.0.0-beta_amd64_CD.iso /mnt/cdrom
# df -PTah /mnt/cdrom
Filesystem Type Size Used Avail Use% Mounted on
/dev/loop0 iso9660 4.4G 4.4G 0 100% /cdrom
####
}
set -e
variant="--os-variant=debianwheezy"
name="--name=devuan-by-andrewm"
cpus="--cpu=host --vcpus=2"
memory="--memory 2048"
disk="--disk path=/Cmn/kvm/images/devuan-by-andrewm--disk0"
location="--cdrom ~/devuan_jessie_1.0.0-beta_amd64_CD.iso"
graphics="--graphics none"
network="--network bridge=br0"
boot="--boot kernel=/mnt/cdrom/install.amd/vmlinuz,initrd=/mnt/cdrom/install.amd/initrd.gz,kernel_args='console=ttyS0'"
CMD="virt-install --virt-type kvm ${variant} ${name} ${cpus} ${memory} ${disk} ${location} ${graphics} ${network} ${boot}"
echo "${CMD}"
eval ${CMD}
which I follow from this thread on Devuan Forums:
Devuan KVM guest install using ISO, virt-install and text based installation
https://lists.dyne.org/lurker/thread/20 ... 7.ddc5e862
( maybe best read this email:
https://lists.dyne.org/lurker/message/2 ... 62.en.html
that's where the script that I used is from, it's Andrew McGlashan's script, only modified. )
And I set all the lerning into my /etc/grsec/policy but it even asked for learning on the /usr/sbin/init...
So... So I'll first be reverting to my regular GRADM policy, which means abandoning these attempts, so I can go online, do some browsing and some posting, and replying to emails...
Have a look and how much learning was needed (grsec_161109_g5n_13 is my backup
copy of /etc/grsec/policy):
- Code: Select all
# cat grsec_161109_g5n_13 | grep ' ol'
subject /sbin/init ol
subject /usr/sbin/libvirtd ol
subject /bin/env ol
subject /sbin/ldconfig ol
subject /usr/bin/glxgears ol
subject /usr/bin/glxinfo ol
subject /usr/bin/python2.7 ol
subject /usr/bin/virt-clone ol
subject /usr/bin/virt-convert ol
subject /usr/bin/virt-install ol
subject /usr/bin/virt-xml ol
subject /usr/share/virt-manager ol
#
All those needed to be set for learning to get to that step with the still unsuccessful virt-install command run...
Here's those for completeness (the glxgears and the glxinfo are not of the bunch, removing them; NOTE: I set those PAX_<...> lines out of desparation
they're probably superfluous and useless if not wrong... Esp. since --I revised my understanding by re-reading the grsecurity kernel help these is no SEGMEXEC in AMD64 kernels... ):- Code: Select all
cat grsec_161109_g5n_13 | grep -B1 -A5 ' ol' | grep -Ev 'glxgears|glxinfo'
# Role: root
subject /sbin/init ol
/ h
-CAP_ALL
-PAX_SEGMEXEC
-PAX_PAGEEXEC
-PAX_MPROTECT
bind disabled
connect disabled
--
# Role: root
subject /usr/sbin/libvirtd ol
/ h
-CAP_ALL
-PAX_SEGMEXEC
-PAX_PAGEEXEC
-PAX_MPROTECT
bind disabled
connect disabled
--
# Role: miro
subject /bin/env ol
/ h
-CAP_ALL
bind disabled
connect disabled
--
# Role: miro
subject /sbin/ldconfig ol
/ h
-CAP_ALL
bind disabled
connect disabled
--
# Role: miro
/ h
-CAP_ALL
bind disabled
connect disabled
# Role: miro
/ h
-CAP_ALL
bind disabled
connect disabled
--
# Role: miro
subject /usr/bin/python2.7 ol
/ h
-CAP_ALL
bind disabled
connect disabled
--
# Role: miro
subject /usr/bin/virt-clone ol
/ h
-CAP_ALL
bind disabled
connect disabled
# Role: miro
subject /usr/bin/virt-convert ol
/ h
-CAP_ALL
bind disabled
connect disabled
# Role: miro
subject /usr/bin/virt-install ol
/ h
-CAP_ALL
bind disabled
connect disabled
# Role: miro
subject /usr/bin/virt-xml ol
/ h
-CAP_ALL
bind disabled
connect disabled
--
# Role: miro
subject /usr/share/virt-manager ol
/ h
-CAP_ALL
bind disabled
connect disabled
I did search, but didn't find much how to correctly deploy virt-manager (without GUI) and use virt-install to run VMs.
Maybe other grsecurity users have experience/advice to share on this?
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Try refute: rootkit hooks in kernel,
linux capabilities for intrusion? (Linus?)