From: Marc-Christian Petersen (m.c.p_at_gmx.net)
Date: Thu 17 Jul 2003 - 08:00:02 BST
On Thursday 17 July 2003 08:30, Dariush Pietrzak wrote:
> > has anyone tried yet to run a kernel with both ctx and grsecurity
> > patches applied? The patches apply pretty fine except for a "conflict"
> > in kernel/signal.c which probably can easily be resolved, however, the
> > question is, will both work well together? Would be nice to get some
> > feedback if anyone has tried. Thanks!
> No, they don't work together.
> This was tested and tried in WOLK tree, the solution WOLK took was to ifdef
> ctx/grsec so you can't select them both.
> As you can imagine, those patches both touch the same parts of a kernel...
> what I would like, is to seperate grsec into parts that conflict with ctx
> and those that don't.. that would be nice...
Well, grsec and ctx are working together, you can also select them both. I've
choosen the mutual exclusion some time ago for WOLK3 time. The only exception
which does not work is the ACL subsystem which conflicts with CTX. You cannot
disable the ACL subsystem once if its started if CTX is compiled into the
kernel. We did not figure out why yet.
I am running grsec+ctx on some production machines but w/o the ACL subsystem
and haven't experienced any problems yet.
-- ciao, Marc