Re: [vserver] Patch for 2.6.38.4 vserver + GR Security

From: Herbert Poetzl <herbert_at_13thfloor.at>
Date: Mon 16 May 2011 - 14:13:12 BST
Message-ID: <20110516131312.GA30856@MAIL.13thfloor.at>

On Thu, May 12, 2011 at 06:33:53AM -0500, Sandino Araico Sánchez
wrote:

> On 12/05/11 05:34, Rik Bobbaers wrote:
>> this is the refcount overflow i was talking about.
> I have found your refcount patch. Most of the rejects happened
> because the hunk was already applied. The new patch is
> http://sandino.araico.net/parches/vserver/patch-2.6.38.4-vs2.3.
> 0.37-rc15-against-grsec-2.2.2-201104232142-KB2-unstable.diff

> As Herbert asked, the patch is vserver against a grsec-patched
> kernel.

hmm, well, a step in the right direction, but what I actually
meant was a grsec patch against a Linux-VServer patched kernel ..
why? simple:

 - grsec doesn't update as often as Linux-VServer does
 - grsec changes to mainline need to be extended to Linux-VServer,
   note that this isn't the other way round, i.e. the refcount
   stuff for example is solely introduced by grsec as 'feature'
   as are the chroot restrictions and similar
 - a grsec for Linux-VServer has to handle the concept of
   chroot like environments to effectively enhance security

but YMMV and as I do not use or maintain grsec, it's neither my
call nor my preference, just my opinion ...

best,
Herbert

> I have to go to sleep. I will try the new patch tomorrow.

>> I'll try to spin a new kernel this evening...

>> (ps. what system calls are you talking about? i haven't done
>> any 2.6.38 kernel yet, so it would be nice to know and not
>> have to look ;)

> Merging parameters in function calls like 'var =
> func(vx_xxx(foo,grsec_yyy(bar)));' A couple of those; the rest
> of the rejects are cleaner. Not too complicated.

>> KR

>> Rik Bobbaers

>> -- http://harry.enzoverder.be

>>> I checked all the rejects and applied them manually. I had to
>>> merge a couple of function calls manually either because both
>>> vserver and grsec patches modified the same line.

>>> The kernel compiles and boots without crashing but I
>>> have found some functionality missing like the old token
>>> bucket sched, having to remove the sched directory from
>>> /etc/vservers/myvserver/sched

>>> Running the cherokee webserver inside a vserver with ~40
>>> requests per second makes the kernel crash but I haven't had
>>> the time to try to reproduce the crash. The same webserver
>>> running inside a simple chroot does not crash the kernel.

> -- Sandino Araico Sánchez http://sandino.net
Received on Mon May 16 14:13:30 2011

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 16 May 2011 - 14:13:30 BST by hypermail 2.1.8