grsecurity forums

[aTan]

Hi, all!

First of all thanx to Spender & PAX Team for GREAT WORK.

Qestion is:
Will it work (grsec+VServer) in one kernel?

I want to separate guys on term.srv., but w/o
PAX/grsec running interactives on one machine will be nightmare.

[storm]

[...]Will it work (grsec+VServer) in one kernel? [...]

My general experience is that Yes it will work, but not without some effort - you do have to apply parts of the patch by hand. http://www.linux-vserver.org has links to several sites that provide patches already merged, but last I checked none of them are up-to-date. The two patches sometimes modify the same function, thus the need to hand-apply some patches. Most of the patch rejects are fairly trivial to resolve (lots of rejects surrounding #includes at the top, etc.), but a few require you to be somewhat familiar with the kernel.

Of course there is always some degree of risk of subtle or not-so-subtle interactions between the patches. Do familiarize yourself with the areas of the system that are modified esp. by the linux-vserver patch.

The process I follow to merge these:

1. plan on having five copies of the kernel tree.
2. extract one copy of the kernel tree, and plan on not touching it.
3. apply grsec first, to a second copy of the tree.
4. in a third copy of the tree, apply linux-vserver.
5. do a diff with much more context (I use 16 lines) between the pristine copy and the linux-vserver copy.
6. make a copy of the grsec tree, call it grsec+vserver or whatnot.
7. apply the diff from step 5 to the tree from step 6.
8. there will be dozens of .rej's. Carefully hand-apply each one.
9. make a copy of the tree from step 8
10. do your configs and builds in the tree from step 9.

Be particularly careful where function arguments have been changed, the changes are directly adjacent, or control flow and error handling have been changed by one or both patches. You will have to occasionally tweak #include's in some files.

Note that grsec has some functionality overlap with linux-vserver now, with regard to hiding processes in chroot's from each other. Also note that double-chroot is handled differently by the two patches.

[storm]

Will it work (grsec+VServer) in one kernel?

One more thing - newer linux-vserver versions have added the capability to change the user/kernel "split" to something other than 3GB/1GB. I was uncomfortable with how these changes might affect vma-mirroring et al, and so did not apply that part of the vserver patch.

[PaX Team]

One more thing - newer linux-vserver versions have added the capability to change the user/kernel "split" to something other than 3GB/1GB. I was uncomfortable with how these changes might affect vma-mirroring et al, and so did not apply that part of the vserver patch.

shouldn't be a problem, only the userland DS/CS descriptors need a manual update, the rest is a function of TASK_SIZE already.

[aTan]

Thanx, storm&PAX !
After all our holidays I'll go to merge things.

2storm: Steps, you describe, is like my standard semi-automated
procedure to apply patches to krnl and gcc/glibc. It really helps.

Thanx once more.