We need to look over the capability code again, just to make sure inheritance is working correctly, etc..
Another thing, I had to remove the code that sets cap_bset for all the running processes, for the obvious reasons that once you set the caps lower than they were initially with cap_intersect() it's unpossible to undo that. It's not really important that we set the capabilities for all processes anyway...the cap changes should only affect things started after the acl system is loaded.
Another thing...the mmap protections won't allow files with interpreters to run, due to the built-in acl of /blahblahfile x, since the file needs read access as well...I don't know of a quick solution to fix this..we'll have to discuss it today.
i fixed the init code, and made the capability inheritance stuff set the capability for that process causing the inheritance as well...you'll understand if you look at the code. Otherwise the initial process wouldn't have the capabilities it needed to run, but any process it executed would be able to. I also fixed cap_conv() to handle the capability inheritance, and spaces after the cap name.
few last minute things for grsecurity 1.9.4
6 posts
• Page 1 of 1
few last minute things for grsecurity 1.9.4
by spender » Wed Dec 31, 1969 8:00 pm
- spender
- Posts: 2185
- Joined: Wed Feb 20, 2002 8:00 pm
*phew*...final release is all diffed up...making rpms now.by mwimer » Thu Mar 07, 2002 4:24 pm
Your mention of RPMs reminds me that i should mention that i plan on porting the patch back to one of the older redhat kernels. It should be a real trick. If you want to have a redhat kernel rpm with the grsecurity patch, contingent on my ablity to do the port, i should have it pretty soon.
- mwimer
- Posts: 13
- Joined: Mon Mar 04, 2002 1:54 pm
What changes are bundled in the RPM's ?
by l0ki » Fri Mar 08, 2002 12:33 am
Do the RPM's you've released have the Redhat - based config files for included module/kernel device and feature support included? What modules, etc... are enabled in each different one- and what are the differences betweeen low-med-high?
Can you bundle the source in the RPM as well? This would make it a lot easier to go back and do things like start with your already patched kernel and apply freeswan ipsec support, etc... Or if you really wanted to make my daily life easier, you could just include freeswan and IPsec support in the rpm... (hint, hint)..
Does the 2.4.18 kernel in the RPM (I assume it does) have the kernel patch (security (mentioned on your site)) applied?
Any plans for updating grsparse anymore? You may want to bundle a secur(ed) httpd.conf with it also- for those who would leave php, mod this, and mod that enabled....
I've got grsec deployed on 20-25 servers now, been using it for about 1 or 1 1/2 years, and have had good luck so far.
Thanks for the good work!
Can you bundle the source in the RPM as well? This would make it a lot easier to go back and do things like start with your already patched kernel and apply freeswan ipsec support, etc... Or if you really wanted to make my daily life easier, you could just include freeswan and IPsec support in the rpm... (hint, hint)..
Does the 2.4.18 kernel in the RPM (I assume it does) have the kernel patch (security (mentioned on your site)) applied?
Any plans for updating grsparse anymore? You may want to bundle a secur(ed) httpd.conf with it also- for those who would leave php, mod this, and mod that enabled....
I've got grsec deployed on 20-25 servers now, been using it for about 1 or 1 1/2 years, and have had good luck so far.
Thanks for the good work!
- l0ki
- Posts: 1
- Joined: Fri Mar 08, 2002 12:25 am
6 posts
• Page 1 of 1