grsecurity forums

[dermike]

Anyone get grsecurity patch working against the user mode linux patch?

I tried, but UML defines kernel_thread to return type 'int' and grsecurity defines it to return type 'long'. Currently looking into how either patch uses the function call and possibly the easiest way to make it work.

Wanted to make sure nobody else was doing this first... No need to duplicate effort when we could work together. :-)

Why would I be silly enough to do this? Wanted to set up a virtual hosting environment using user mode linux. This way I can still give users root on a virtual host without: a) spending money on hardware, b) spending money on vmware, c) spending CPU on other virtual machine emulators... The idea of hardening the UML instances about as much as the host OS would be nice.

I understand that none of the PAX/Memory security stuff will NOT work... But most of the other features should work (chroot restrictions, ACLs, proc restrictions, networking stuff... etc)

If nobody is currently working on this, then does anybody have any constructive advice?

Thanks
Mike

[pappy]

you could try coping with UML without grsec in the virtual machine.
try hardening the host system with grsecurity and a good acl for the uml processes

do not use the SKAS patch as it changes kernel behaviour on the host side which may make the host kernel vulnerable.

as far is i know the UML system only uses normal process behaviour to simulate the kernel of the UML where you could then try to startup virtual ssh daemons and http daemons and the like

HTH,

Alex