On Thu, May 12, 2011 at 06:33:53AM -0500, Sandino Araico Sánchez
wrote:
> On 12/05/11 05:34, Rik Bobbaers wrote:
>> this is the refcount overflow i was talking about.
> I have found your refcount patch. Most of the rejects happened
> because the hunk was already applied. The new patch is
> http://sandino.araico.net/parches/vserver/patch-2.6.38.4-vs2.3.
> 0.37-rc15-against-grsec-2.2.2-201104232142-KB2-unstable.diff
> As Herbert asked, the patch is vserver against a grsec-patched
> kernel.
hmm, well, a step in the right direction, but what I actually
meant was a grsec patch against a Linux-VServer patched kernel ..
why? simple:
- grsec doesn't update as often as Linux-VServer does
- grsec changes to mainline need to be extended to Linux-VServer,
note that this isn't the other way round, i.e. the refcount
stuff for example is solely introduced by grsec as 'feature'
as are the chroot restrictions and similar
- a grsec for Linux-VServer has to handle the concept of
chroot like environments to effectively enhance security
but YMMV and as I do not use or maintain grsec, it's neither my
call nor my preference, just my opinion ...
best,
Herbert
> I have to go to sleep. I will try the new patch tomorrow.
>> I'll try to spin a new kernel this evening...
>> (ps. what system calls are you talking about? i haven't done
>> any 2.6.38 kernel yet, so it would be nice to know and not
>> have to look ;)
> Merging parameters in function calls like 'var =
> func(vx_xxx(foo,grsec_yyy(bar)));' A couple of those; the rest
> of the rejects are cleaner. Not too complicated.
>> KR
>> Rik Bobbaers
>> -- http://harry.enzoverder.be
>>> I checked all the rejects and applied them manually. I had to
>>> merge a couple of function calls manually either because both
>>> vserver and grsec patches modified the same line.
>>> The kernel compiles and boots without crashing but I
>>> have found some functionality missing like the old token
>>> bucket sched, having to remove the sched directory from
>>> /etc/vservers/myvserver/sched
>>> Running the cherokee webserver inside a vserver with ~40
>>> requests per second makes the kernel crash but I haven't had
>>> the time to try to reproduce the crash. The same webserver
>>> running inside a simple chroot does not crash the kernel.
> -- Sandino Araico Sánchez http://sandino.net
Received on Mon May 16 14:13:30 2011