Re: [vserver] Vserver + grsec thoughts

From: Kyle Bader <kyle.bader_at_gmail.com>
Date: Tue 09 Nov 2010 - 16:16:08 GMT
Message-ID: <AANLkTimh5yPsUdEXA0be=FTMZOFhe22TrV2eVCkYiHAR@mail.gmail.com>

Hey Ed,

> I'm assuming that you are one of the pax team?  I know it's already quite a
> maintenance effort, but would the grsec/pax folks be amenable to maintaining
> a more "partial" patch which would merge with the vserver stuff more easily?

I'm not on the PaX/grsecurity team, I just make heavy use of their
patchset and have used it in conjunction with several other kernel
patches (vserver and aufs mostly). As such please don't take my words
as authoritative on the subject, a clued in user is still a far cry
from the project developer :)

> It appears that this is the section I need to get a skills transfer from Rik
> on...  I'm about to go away on a pretty serious work trip for 2 weeks, so
> would appreciate any help from anyone in the meantime?

Kees Cook has recently started a movement to get some of the features
of grsecurity into mainline, you can read more about it here:

https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream%20Hardening

I think that putting effort here would be a better contribution to the
Linux ecosystem because it would help everyone, including people who
use linux-vserver. This effort is also likely to generate more
eyeballs for review and when it comes to security, that's a good thing
:D

Keep in mind that in light of this work there are still things that
would need to be done to the vserver patch, I can think of two:

1. Make reference counters unchecked where applicable
2. Constify function pointers wherever possible

#1 is only relevant for the refcount protection and #2 isn't strictly
required for vserver/pax interoperability but it's in the spirit of
the work PaX has been doing:

http://pax.grsecurity.net/docs/pax-future.txt

Just my $0.02

-- 
Kyle
Received on Tue Nov 9 21:41:44 2010
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 09 Nov 2010 - 21:41:45 GMT by hypermail 2.1.8