On Wed, Sep 14, 2011 at 09:19:01PM +0100, Ed W wrote:
> My vote is we shift to a pax only patch (perhaps with a few
> select bits from the grsec patch, eg larger entropy pool and
> similar)
> Pax applies (or did apply) with no significant conflicts and
> just requires the additional atomic changes to the vserver
> code.
> Grsec offers only a MAC layer which doesn't quite work as
> expected with vservers plus chroot hardening which is already
> covered by the vserver patches (and if it's not then we should
> bug Herbert to fix things). So mostly the grsec extras are not
> that useful. For sure there are some other bits of that patch
> which are interesting, eg enhanced logging, larger entropy
> pools, etc, but perhaps we can pull those out (don't suppose
> they change that often?)
sounds good to me, and I'm willing to help with an initial
pax integration if there is need, but somebody needs to
maintain those patches (like harry did for the grsec ones)
so that they follow the Linux-VServer releases closely or
in a way (which I'd actually prefer) that they apply ontop
of the Linux-VServer patches, so that minor fixes/changes
in the Linux-VServer code doesn't affect them (much)
thanks in advance,
Herbert
> Just my 2p (been waiting for pax 3.0 patches to stabilise...)
> Cheers
> Ed W
> On 14/09/2011 19:41, Sandino Araico Sánchez wrote:
>> I uploaded a vserver-grsec patch for 2.6.38 some months ago
>> http://sandino.araico.net/parches/vserver/ but it has some issues
>> starting vservers.
>> I think it's time to cook an updated patch for 3.0. I will try to do
>> it this week.
>> About the patching procedure, It's not too difficult to do.
>> 0. Unpack the vanilla kernel
>> 0.1 copy the unpacked vanilla kernel (for diff)
>> 1. Patch Linux vanilla with vserver
>> 1.1. Copy the vserver-patched kernel (for diff)
>> 2. Patch the vserver-patched kernel with grsec
>> 3. Merge the rejects manually
>> 3.1 If in doubt consult what they did on patched files in earlier versions
>> 4. Apply Rik Bobbaers patch
>> 4.1 Merge the rejects manually
>> 5. Calculate recursive diff against vanilla kernel
>> 5.1 Calculate recursive diff against vserver-patched kernel
>> 6. Upload the patches
>> On 09/14/11 03:38, ccx@webprojekty.cz wrote:
>>> Hello
>>> I wish to update my vserver/grsec based server, but there seems to be
>>> lack of grsecurity-enabled releases lately. Moreover I tried the latest
>>> patch that applies to 2.6.36.2 and ran into poblems with
>>> pivot_root(): Invalid argument, which guys on the irc hinted is probably
>>> fault of broken release. (I disabled pivot_root grsec protection in
>>> sysctl).
>>> My questions are if there are any new releases planned for
>>> vserver/grsecurity and what is the procedure for making them (in which
>>> way to combine patches, where to get them, etc.) so I could build and
>>> test current state.
>>> Thank you very much.
>> --
>> Sandino Araico Sánchez
>> http://sandino.net
Received on Thu Sep 15 02:26:06 2011