Re: [vserver] Patch for 2.6.38.4 vserver + GR Security

From: Sandino Araico Sánchez <sandino_at_sandino.net>
Date: Thu 12 May 2011 - 12:33:53 BST
Message-ID: <4DCBC5A1.2050605@sandino.net>

On 12/05/11 05:34, Rik Bobbaers wrote:
> this is the refcount overflow i was talking about.
I have found your refcount patch.
Most of the rejects happened because the hunk was already applied.
The new patch is
http://sandino.araico.net/parches/vserver/patch-2.6.38.4-vs2.3.0.37-rc15-against-grsec-2.2.2-201104232142-KB2-unstable.diff
As Herbert asked, the patch is vserver against a grsec-patched kernel.

I have to go to sleep. I will try the new patch tomorrow.
>
> I'll try to spin a new kernel this evening...
>
> (ps. what system calls are you talking about? i haven't done any 2.6.38
> kernel yet, so it would be nice to know and not have to look ;)
Merging parameters in function calls like 'var =
func(vx_xxx(foo,grsec_yyy(bar)));'
A couple of those; the rest of the rejects are cleaner.
Not too complicated.
>
> KR
>
> Rik Bobbaers
>
> -- http://harry.enzoverder.be
>
>> I checked all the rejects and applied them manually. I had to merge a
>> couple of function calls manually either because both vserver and grsec
>> patches modified the same line.
>>
>> The kernel compiles and boots without crashing but I have found some
>> functionality missing like the old token bucket sched, having to remove
>> the sched directory from /etc/vservers/myvserver/sched
>>
>> Running the cherokee webserver inside a vserver with ~40 requests per
>> second makes the kernel crash but I haven't had the time to try to
>> reproduce the crash. The same webserver running inside a simple chroot
>> does not crash the kernel.

-- 
Sandino Araico Sánchez
http://sandino.net
Received on Thu May 12 12:33:39 2011
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 12 May 2011 - 12:33:39 BST by hypermail 2.1.8