grsecurity 2.1.10 released for Linux 2.4.34/2.6.19.2

grsecurity 2.1.10 was released today for Linux 2.4.34 and 2.6.19.2. 
Changes in this release include:

    * Fixes to PaX flag support in RBAC system
    * PaX updates for non-x86 architectures in 2.4.34 patch
    * Fix for setpgid in chroot problem reported on forums
    * Removal of randomized PIDs feature, since it provides no useful 
      additional security and wastes memory with the 2.6 kernel's pid bitmap
    * Fixed /proc usage in a chroot in 2.6 patch
    * Added admin role to generated policy from full learning

The version was incremented due to required gradm changes for the PaX 
flags.  This patch corrects the "dropped command" problem reported here 
on the mailing list and the forums.  I've also posted an official 
comment on the website regarding the alleged vulnerabilities in 
grsecurity/PaX.

-Brad

_______________________________________________
grsecurity mailing list
grsecurity@...
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity

Re: grsecurity 2.1.10 released for Linux 2.4.34/2.6.19.2

in the latest patch:
-           min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
+           min(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));

for ./arch/i386/kernel/smpboot.c

this should be:
min(KERNEL_PGD_PTRS, USER_PGD_PTRS)); => the extra bracket is for...
hell, read the patch ;))
right? because min only takes 2 args
or it shouldn't be changed at all, that's a possibility too :)

right now, i get a compiler error on that one...

Brad Spengler wrote:
> grsecurity 2.1.10 was released today for Linux 2.4.34 and 2.6.19.2. 
> Changes in this release include:
> 
>     * Fixes to PaX flag support in RBAC system
>     * PaX updates for non-x86 architectures in 2.4.34 patch
>     * Fix for setpgid in chroot problem reported on forums
>     * Removal of randomized PIDs feature, since it provides no useful 
>       additional security and wastes memory with the 2.6 kernel's pid bitmap
>     * Fixed /proc usage in a chroot in 2.6 patch
>     * Added admin role to generated policy from full learning
> 
> The version was incremented due to required gradm changes for the PaX 
> flags.  This patch corrects the "dropped command" problem reported here 
> on the mailing list and the forums.  I've also posted an official 
> comment on the website regarding the alleged vulnerabilities in 

Re: grsecurity 2.1.10 released for Linux 2.4.34/2.6.19.2

On 15 Jan 2007 at 19:22, harry wrote:

> in the latest patch:
> -           min_t(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
> +           min(unsigned long, KERNEL_PGD_PTRS, USER_PGD_PTRS));
> 
> for ./arch/i386/kernel/smpboot.c
> 
> this should be:
> min(KERNEL_PGD_PTRS, USER_PGD_PTRS)); => the extra bracket is for...
> hell, read the patch ;))
> right? because min only takes 2 args
> or it shouldn't be changed at all, that's a possibility too :)

min_t is the right code, it shouldn't be changed.

Re: grsecurity 2.1.10 released for Linux 2.4.34/2.6.19.2

I am puzzled.  

In the latest patch (grsecurity-2.1.10-2.6.19.2-200701151353.patch just
downloaded) I don't see these lines at all.

Has the correction been made to the patch?  

ie should min_t not have been changed to min anyway?

Sorry for my confusion but the response was rather ambiguous whether 

(a) the kernel shouldn't be changed or

(b) the patch shouldn't be changed.

:)

Best wishes

John

John Logsdon                               "Try to make things as simple
Quantex Research Ltd, Manchester UK         as possible but not simpler"
j.logsdon@...              a.einstein@...
+44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com

On Wed, 17 Jan 2007 pageexec@... wrote:

> On 15 Jan 2007 at 19:22, harry wrote:
> 

Re: grsecurity 2.1.10 released for Linux 2.4.34/2.6.19.2

John Logsdon wrote:
> I am puzzled.  
> 
> In the latest patch (grsecurity-2.1.10-2.6.19.2-200701151353.patch just
> downloaded) I don't see these lines at all.
> 
> Has the correction been made to the patch?  

it's fixed in the patch you downloaded

--

-- 
harry
aka Rik Bobbaers

K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
Rik.Bobbaers@... -=- http://people.linux-vserver.org/~harry

thinking always leads to conclusions... and those can be extremely dangerous
-- me ;)

Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm

2.4.34 with grsecurity locks up at boot on SMP

Hello All,

I've just upgraded a backup server from 2.4.33.3-grsec to 2.4.34-grsec, but
the new kernel stops at boot. 2.4.33.3-grsec and plain 2.4.34 both run fine on
the same hardware. The machine runs Debian Sarge and I use gcc 3.4 for kernel
compilation with -march=pentium3. I attached the kernel configuration and also
made a screenshot (a real shot :) about the console when it stops:

http://fotok.adi.priv.hu/IMG_8487.JPG

The "Booting processor 1/0 eip 3000" is the last line displayed, then it
responds to nothing. I had to reboot it using the reset switch.

Do anybody have any ideas what could be the problem?

Regards,

Gábor

#
# Automatically generated by make menuconfig: don't edit
#
CONFIG_X86=y
# CONFIG_SBUS is not set
CONFIG_UID16=y

#
# Code maturity level options
#

Re: 2.4.34 with grsecurity locks up at boot on SMP

On 17 Jan 2007 at 22:13, Adorjáni Gábor wrote:
> http://fotok.adi.priv.hu/IMG_8487.JPG
> 
> The "Booting processor 1/0 eip 3000" is the last line displayed, then it
> responds to nothing. I had to reboot it using the reset switch.

does the kernel boot with maxcpus=1? does a UP grsec kernel boot?
and finally, does a pax only kernel boot (smp/up)?

_______________________________________________
grsecurity mailing list
grsecurity <at> grsecurity.net
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity

Re: 2.4.34 with grsecurity locks up at boot on SMP

On 17 Jan 2007 at 22:13, Adorjáni Gábor wrote:

> http://fotok.adi.priv.hu/IMG_8487.JPG
> 
> The "Booting processor 1/0 eip 3000" is the last line displayed, then it
> responds to nothing. I had to reboot it using the reset switch.

even better, does it boot with CONFIG_PAX_MEMORY_UDEREF disabled?

_______________________________________________
grsecurity mailing list
grsecurity <at> grsecurity.net
http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity

PAX enabled kernel and suspend2 - hangs during hibernate-ram

Hi,

I'm trying to enable PAX in kernel 2.6.19.2 patched with suspend2 patch.
Script hibernate-ram works great on my laptop, if PAX is not enabled
(works on my 2.6.19.1-grsec kernel with the same suspend2 patch).

After enabling PAX options hibernate-ram scripts hangs with
following error:

Stopping tasks ... done.
Suspending console(s)

and laptop doesn't get hibernated. I can oonly turn off laptop with
power button.

PAX kernel config:

CONFIG_PAX_NOEXEC=y
CONFIG_PAX_SEGMEXEC=y
CONFIG_PAX_MPROTECT=y
CONFIG_PAX_NOELFRELOCS=y
CONFIG_PAX_KERNEXEC=y

CONFIG_PAX_ASLR=y
CONFIG_PAX_RANDKSTACK=y
CONFIG_PAX_RANDUSTACK=y
CONFIG_PAX_RANDMMAP=y

CONFIG_PAX_MEMORY_SANITIZE=y
CONFIG_PAX_MEMORY_UDEREF=y

Re: PAX enabled kernel and suspend2 - hangs during hibernate-ram

Hello,

Lubomir Host wrote:
> CONFIG_PAX_MEMORY_SANITIZE=y
> CONFIG_PAX_MEMORY_UDEREF=y

Try without these two options. And report back to the list.

Regards,
--
  .''`. Torbjörn Svensson, azoff (at) se (dot) linux (dot) org
 : :' : 7EB9 2DC5 61AE DAB5 7099  BAC6 798E E39A DBDB 0CFD
 `. `'  http://www.azoff.se | http://dev.azoff.se
   `--  http://se.linux.org