eya all,
sorry i didn't update the patches in such a very very long time. It's just
that i don't have any time to work on this project anymore (sadly)
So if someone wants to take over, it would be great! (i see Ed knows his
way around version control systems very well ;))
I was planning on upgrading the patches once the stabilization is
completely finished to get a stable grsec/vserver patch...
Maybe only pax-part is a good idea too (since imho that's the "major"
improvement part of the entire grsec patch).
Though there are also some grsec parts that are very useful too...
KR,
Rik Bobbaers
> My vote is we shift to a pax only patch (perhaps with a few select bits
> from the grsec patch, eg larger entropy pool and similar)
>
> Pax applies (or did apply) with no significant conflicts and just
> requires the additional atomic changes to the vserver code.
>
> Grsec offers only a MAC layer which doesn't quite work as expected with
> vservers plus chroot hardening which is already covered by the vserver
> patches (and if it's not then we should bug Herbert to fix things). So
> mostly the grsec extras are not that useful. For sure there are some
> other bits of that patch which are interesting, eg enhanced logging,
> larger entropy pools, etc, but perhaps we can pull those out (don't
> suppose they change that often?)
>
> Just my 2p (been waiting for pax 3.0 patches to stabilise...)
>
> Cheers
>
> Ed W
>
>
> On 14/09/2011 19:41, Sandino Araico Sánchez wrote:
>> I uploaded a vserver-grsec patch for 2.6.38 some months ago
>> http://sandino.araico.net/parches/vserver/ but it has some issues
>> starting vservers.
>>
>> I think it's time to cook an updated patch for 3.0. I will try to do
>> it this week.
>>
>> About the patching procedure, It's not too difficult to do.
>> 0. Unpack the vanilla kernel
>> 0.1 copy the unpacked vanilla kernel (for diff)
>> 1. Patch Linux vanilla with vserver
>> 1.1. Copy the vserver-patched kernel (for diff)
>> 2. Patch the vserver-patched kernel with grsec
>> 3. Merge the rejects manually
>> 3.1 If in doubt consult what they did on patched files in earlier
>> versions
>> 4. Apply Rik Bobbaers patch
>> 4.1 Merge the rejects manually
>> 5. Calculate recursive diff against vanilla kernel
>> 5.1 Calculate recursive diff against vserver-patched kernel
>> 6. Upload the patches
>>
>> On 09/14/11 03:38, ccx@webprojekty.cz wrote:
>>> Hello
>>> I wish to update my vserver/grsec based server, but there seems to be
>>> lack of grsecurity-enabled releases lately. Moreover I tried the latest
>>> patch that applies to 2.6.36.2 and ran into poblems with
>>> pivot_root(): Invalid argument, which guys on the irc hinted is
>>> probably
>>> fault of broken release. (I disabled pivot_root grsec protection in
>>> sysctl).
>>>
>>> My questions are if there are any new releases planned for
>>> vserver/grsecurity and what is the procedure for making them (in which
>>> way to combine patches, where to get them, etc.) so I could build and
>>> test current state.
>>>
>>> Thank you very much.
>>
>>
>> --
>> Sandino Araico Sánchez
>> http://sandino.net
>
>
Received on Thu Sep 15 10:04:52 2011