User Mode Linux and Grsec
Posted: Fri May 09, 2003 2:51 pm
Anyone get grsecurity patch working against the user mode linux patch?
I tried, but UML defines kernel_thread to return type 'int' and grsecurity defines it to return type 'long'. Currently looking into how either patch uses the function call and possibly the easiest way to make it work.
Wanted to make sure nobody else was doing this first... No need to duplicate effort when we could work together. :-)
Why would I be silly enough to do this? Wanted to set up a virtual hosting environment using user mode linux. This way I can still give users root on a virtual host without: a) spending money on hardware, b) spending money on vmware, c) spending CPU on other virtual machine emulators... The idea of hardening the UML instances about as much as the host OS would be nice.
I understand that none of the PAX/Memory security stuff will NOT work... But most of the other features should work (chroot restrictions, ACLs, proc restrictions, networking stuff... etc)
If nobody is currently working on this, then does anybody have any constructive advice?
Thanks
Mike
I tried, but UML defines kernel_thread to return type 'int' and grsecurity defines it to return type 'long'. Currently looking into how either patch uses the function call and possibly the easiest way to make it work.
Wanted to make sure nobody else was doing this first... No need to duplicate effort when we could work together. :-)
Why would I be silly enough to do this? Wanted to set up a virtual hosting environment using user mode linux. This way I can still give users root on a virtual host without: a) spending money on hardware, b) spending money on vmware, c) spending CPU on other virtual machine emulators... The idea of hardening the UML instances about as much as the host OS would be nice.
I understand that none of the PAX/Memory security stuff will NOT work... But most of the other features should work (chroot restrictions, ACLs, proc restrictions, networking stuff... etc)
If nobody is currently working on this, then does anybody have any constructive advice?
Thanks
Mike