grsecurity forums


https://forums.grsecurity.net/

few last minute things for grsecurity 1.9.4

https://forums.grsecurity.net/viewtopic.php?f=1&t=4

Page 1 of 1

few last minute things for grsecurity 1.9.4

PostPosted: Wed Dec 31, 1969 8:00 pm
by spender
We need to look over the capability code again, just to make sure inheritance is working correctly, etc..

Another thing, I had to remove the code that sets cap_bset for all the running processes, for the obvious reasons that once you set the caps lower than they were initially with cap_intersect() it's unpossible to undo that. It's not really important that we set the capabilities for all processes anyway...the cap changes should only affect things started after the acl system is loaded.

Another thing...the mmap protections won't allow files with interpreters to run, due to the built-in acl of /blahblahfile x, since the file needs read access as well...I don't know of a quick solution to fix this..we'll have to discuss it today.

i fixed the init code, and made the capability inheritance stuff set the capability for that process causing the inheritance as well...you'll understand if you look at the code. Otherwise the initial process wouldn't have the capabilities it needed to run, but any process it executed would be able to. I also fixed cap_conv() to handle the capability inheritance, and spaces after the cap name.

ok

PostPosted: Mon Mar 04, 2002 8:39 pm
by spender
ok, all the issues have been resolved :) *phew*...final release is all diffed up...making rpms now.

PostPosted: Thu Mar 07, 2002 4:24 pm
by mwimer
Your mention of RPMs reminds me that i should mention that i plan on porting the patch back to one of the older redhat kernels. It should be a real trick. If you want to have a redhat kernel rpm with the grsecurity patch, contingent on my ablity to do the port, i should have it pretty soon.

hmm

PostPosted: Thu Mar 07, 2002 4:37 pm
by spender
as long as it's > 2.4.11 and has the patch for the new kernel vuln applied to it, go for it

-Brad

PostPosted: Thu Mar 07, 2002 5:44 pm
by mwimer
Hmm, redhat's latest is 2.4.9. Maybe someone soon they will release a newer kernel.

What changes are bundled in the RPM's ?

PostPosted: Fri Mar 08, 2002 12:33 am
by l0ki
Do the RPM's you've released have the Redhat - based config files for included module/kernel device and feature support included? What modules, etc... are enabled in each different one- and what are the differences betweeen low-med-high?

Can you bundle the source in the RPM as well? This would make it a lot easier to go back and do things like start with your already patched kernel and apply freeswan ipsec support, etc... Or if you really wanted to make my daily life easier, you could just include freeswan and IPsec support in the rpm... (hint, hint)..

Does the 2.4.18 kernel in the RPM (I assume it does) have the kernel patch (security (mentioned on your site)) applied?

Any plans for updating grsparse anymore? You may want to bundle a secur(ed) httpd.conf with it also- for those who would leave php, mod this, and mod that enabled....

I've got grsec deployed on 20-25 servers now, been using it for about 1 or 1 1/2 years, and have had good luck so far.

Thanks for the good work!
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/