few last minute things for grsecurity 1.9.4

Discuss and suggest new grsecurity features

few last minute things for grsecurity 1.9.4

Postby spender » Wed Dec 31, 1969 8:00 pm

We need to look over the capability code again, just to make sure inheritance is working correctly, etc..

Another thing, I had to remove the code that sets cap_bset for all the running processes, for the obvious reasons that once you set the caps lower than they were initially with cap_intersect() it's unpossible to undo that. It's not really important that we set the capabilities for all processes anyway...the cap changes should only affect things started after the acl system is loaded.

Another thing...the mmap protections won't allow files with interpreters to run, due to the built-in acl of /blahblahfile x, since the file needs read access as well...I don't know of a quick solution to fix this..we'll have to discuss it today.

i fixed the init code, and made the capability inheritance stuff set the capability for that process causing the inheritance as well...you'll understand if you look at the code. Otherwise the initial process wouldn't have the capabilities it needed to run, but any process it executed would be able to. I also fixed cap_conv() to handle the capability inheritance, and spaces after the cap name.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

ok

Postby spender » Mon Mar 04, 2002 8:39 pm

ok, all the issues have been resolved :) *phew*...final release is all diffed up...making rpms now.
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby mwimer » Thu Mar 07, 2002 4:24 pm

Your mention of RPMs reminds me that i should mention that i plan on porting the patch back to one of the older redhat kernels. It should be a real trick. If you want to have a redhat kernel rpm with the grsecurity patch, contingent on my ablity to do the port, i should have it pretty soon.
mwimer
 
Posts: 13
Joined: Mon Mar 04, 2002 1:54 pm

hmm

Postby spender » Thu Mar 07, 2002 4:37 pm

as long as it's > 2.4.11 and has the patch for the new kernel vuln applied to it, go for it

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Postby mwimer » Thu Mar 07, 2002 5:44 pm

Hmm, redhat's latest is 2.4.9. Maybe someone soon they will release a newer kernel.
mwimer
 
Posts: 13
Joined: Mon Mar 04, 2002 1:54 pm

What changes are bundled in the RPM's ?

Postby l0ki » Fri Mar 08, 2002 12:33 am

Do the RPM's you've released have the Redhat - based config files for included module/kernel device and feature support included? What modules, etc... are enabled in each different one- and what are the differences betweeen low-med-high?

Can you bundle the source in the RPM as well? This would make it a lot easier to go back and do things like start with your already patched kernel and apply freeswan ipsec support, etc... Or if you really wanted to make my daily life easier, you could just include freeswan and IPsec support in the rpm... (hint, hint)..

Does the 2.4.18 kernel in the RPM (I assume it does) have the kernel patch (security (mentioned on your site)) applied?

Any plans for updating grsparse anymore? You may want to bundle a secur(ed) httpd.conf with it also- for those who would leave php, mod this, and mod that enabled....

I've got grsec deployed on 20-25 servers now, been using it for about 1 or 1 1/2 years, and have had good luck so far.

Thanks for the good work!
l0ki
 
Posts: 1
Joined: Fri Mar 08, 2002 12:25 am


Return to grsecurity development