Am Montag, 16. November 2009 10:53:58 schrieb Rik Bobbaers:
> After a few weeks debugging a certain part in pax (by the pax team of
> course ;)), i finally managed to get a somewhat decently working combo
> patch
>
> there are also some small bugs that were in previous merges that are now
> fixed aswel.
>
> anyway, it's available for testing (pls give some feedback if it's
> working/what's broken) at:
> http://people.linux-vserver.org/~harry/patch-2.6.31.6-vs2.3.0.36.24-grsec2.
> 1.14-20091116.diff
Thank You Rik,
compiled and works so far w/o any problems. I have to admit that I use only
half of the grsec options available (due to that dreadful hp system management
software nedding privileged io and kmem access )
Keep up the good work!
Bye,
Oliver
>
> grtzzz...
>
> Rik Bobbaers
>
> -- http://harry.enzoverder.be
> linux/unix/system/network/security/hardware/DR admin
>
> > Rik Bobbaers wrote:
> >> heya,
> >>
> >> i don't know how the hardened gentoo stuff works (since i don't use
> >> gentoo). but i do know that i created a patch for 2.6.31.5, with the
> >> latest grsecurity/pax patch, but there are issues with e.g. kernexec,
> >> which make the kernel unbootable. I contacted the pax team on this
> >> issue,
> >> and "we" are working on it.
> >
> > Another 2p is:
> >
> > - Use Rik's last working patch (2.6.29.6 ish?) and you should have a
> > nice working kernel. The kernel is a separate problem to the rest of
> > your userland tools. If you want additional patches then I suggest you
> > start with the vserver+grsec+pax patch first since this is a meaty one.
> > I doubt you want to merge vserver onto some already patched kernel so
> > disregard using gentoo-sources. After that you can pull out any extra
> > patches that you feel are relevant, eg from gentoo-sources or whatever
> > is your favourite and deal with any merge conflicts.
> >
> > - Use gentoo hardened normally...
> >
> > Just a quick tip, but you will need latest util-vserver package and also
> > you will need to unmask the latest dietlibc version before you build
> > util-vserver (if you don't do the later then everything will segfault
> > because it gets built against a duff dietlibc package)
> >
> > Note that standard hardened recently upgraded to gcc-4.3 and this seems
> > to work really nicely, but SSP is not enabled. Also there is an overlay
> > with gcc-4.4 which DOES have SSP enabled. I'm not using this with
> > vserver, but I do have some builds using it with a uclibc setup (which
> > should really give it a workout...) and I haven't yet seen a package
> > it's caused bother with... (well apart from python and sandbox - both
> > critical system packages, but hey you can work around this fairly
> > easily...)
> >
> >
> > Thumbs up for vserver + gentoo hardened
> >
> > Good luck
> >
> > Ed W
>
Received on Thu Nov 19 11:25:16 2009