Re: [vserver] Vserver + grsec thoughts

From: Rik Bobbaers <rik_at_enzoverder.be>
Date: Tue 09 Nov 2010 - 21:10:26 GMT
Message-ID: <1289337027.2589.15.camel@lois.damien.homelinux.com>

hey guys (and maybe even women),

just to inform you... i've created the 2.6.36 patch with the latest
grsec and linux-vserver patch. Also put up a new 2.6.23.25 patch.
I put it online on the website
for those interested in what my work is/was in these kernels: i put a
patch online of the changes i made to the "combination of both patches"

http://harry.enzoverder.be/mypatch-2.6.32.22
http://harry.enzoverder.be/mypatch-2.6.36

this "fixes" everything that goes wrong when you apply grsec and then
linux-vserver patches to a vanilla kernel...

Let me know if it's useful. The refcount fixes are there too of
course :)

if you need more info or so, don't hesitate to ask!

KR,

Rik Bobbaers

-- 
http://harry.enzoverder.be
On Tue, 2010-11-09 at 10:52 -0600, Michael S. Zick wrote:
> On Tue November 9 2010, Kyle Bader wrote:
> > Hey Ed,
> > 
> > > I'm assuming that you are one of the pax team?  I know it's already quite a
> > > maintenance effort, but would the grsec/pax folks be amenable to maintaining
> > > a more "partial" patch which would merge with the vserver stuff more easily?
> > 
> > I'm not on the PaX/grsecurity team, I just make heavy use of their
> > patchset and have used it in conjunction with several other kernel
> > patches (vserver and aufs mostly).  As such please don't take my words
> > as authoritative on the subject, a clued in user is still a far cry
> > from the project developer :)
> > 
> > > It appears that this is the section I need to get a skills transfer from Rik
> > > on...  I'm about to go away on a pretty serious work trip for 2 weeks, so
> > > would appreciate any help from anyone in the meantime?
> > 
> > Kees Cook has recently started a movement to get some of the features
> > of grsecurity into mainline, you can read more about it here:
> > 
> > https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream%20Hardening
> > 
> > I think that putting effort here would be a better contribution to the
> > Linux ecosystem because it would help everyone, including people who
> > use linux-vserver.  This effort is also likely to generate more
> > eyeballs for review and when it comes to security, that's a good thing
> > :D
> > 
> 
> Although that link mentions /proc 'leaks' -
> I think that "lsof" used in a guest context is probably exposing
> more than the operator of the host should be comforable with.
> 
> Add my +1 cent to Kyle's +2 cents.
> 
> Mike
> > Keep in mind that in light of this work there are still things that
> > would need to be done to the vserver patch, I can think of two:
> > 
> > 1. Make reference counters unchecked where applicable
> > 2. Constify function pointers wherever possible
> > 
> > #1 is only relevant for the refcount protection and #2 isn't strictly
> > required for vserver/pax interoperability but it's in the spirit of
> > the work PaX has been doing:
> > 
> > http://pax.grsecurity.net/docs/pax-future.txt
> > 
> > Just my $0.02
> > 
> 
> 
Received on Wed Nov 10 00:33:00 2010
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 10 Nov 2010 - 00:33:00 GMT by hypermail 2.1.8