Francois Marier | 7 Apr 08:35 2008
Picon

RSS feed for grsecurity test patches

For those who want to keep track of new test patches, I have created an RSS
feed (updated daily) which keeps track of the new grsecurity patches posted
on the website:

  http://feeds.feedburner.com/grsecurity

Francois
fire-eyes | 8 Apr 03:37 2008

Re: RSS feed for grsecurity test patches

Francois Marier wrote:
> For those who want to keep track of new test patches, I have created an RSS
> feed (updated daily) which keeps track of the new grsecurity patches posted
> on the website:
> 
>   http://feeds.feedburner.com/grsecurity
> 
> Francois

Good idea. Does this also include test patches?

Thank You!
Francois Marier | 8 Apr 04:13 2008
Picon

Re: RSS feed for grsecurity test patches

On 2008-04-07 at 18:37:12, fire-eyes wrote:
> Good idea. Does this also include test patches?

Yes, in fact it only includes test patches.  But I am planning to add gradm
and PaX as well.

Francois
Brad Spengler | 15 Apr 03:07 2008
Picon

grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

A new stable version of grsecurity has been released for the 2.4.36.2 
and 2.6.24.4 versions of the Linux kernel. This release is a maintenance 
release (due to the work required in porting such a large patchset to 
each new 2.6 kernel as we have with the test patches), though we 
continue to welcome suggestions for additional features for grsecurity. 

Changes in this release include:

    * Many bugfixes, including fixes for RBAC auditing and RBAC policy 
      recreation from renaming.
    * Relaxed restrictions for the 'd' subject flag in the RBAC system 
      -- a task may now access its own /proc/≤pid>/fd and mem entries.
    * Forced compiler errors on mistaken PaX configuration (such as 
      enabling PAX_NOEXEC but not enabling SEGMEXEC nor PAGEEXEC).
    * Extended username limits in the RBAC system
    * Improved policy verification and base policy enforcement
    * Added support for new capabilities added in Linux 2.6
    * Updated default policy and learning configuration
    * Corrected policy support on files larger than 2gb prior to the 
      RBAC system being enabled
    * An update to the latest version of PaX which includes numerous
      bugfixes

Due to Linux kernel developers continuing to silently fix exploitable 
bugs (in particular, trivially exploitable NULL ptr dereference bugs 
continue to be fixed without any mention of their security implications) 
we continue to suggest that the 2.6 kernels be avoided if possible.

It is not clear if the PaX Team will be able to continue supporting 
future versions of the 2.6 kernels, given their rapid rate of release 
(Continue reading)

John Logsdon | 15 Apr 10:40 2008

Re: grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

Brad, PaX Team, everyone

Firstly the appreciation of all needs to be expressed for the continued 
maintenance of grsec.

Secondly, given the continued release issues with the 2.6 kernel, I am sure 
that all will understand the problem of supporting such a moving target.  
However most Linux implementations offer either 2.6 as default or do not 
offer 2.4 kernels anyway and there may be other issues which make it 
necessary to use 2.6 in some cases.

You suggestion of moving to support only, say, the Ubuntu production kernels 
only seems sensible.  I would add in the RHEL (or Fedora) kernels if that 
were possible.  Most production implementations where protection is crucial 
use or derive from these - particularly RHEL - so most installations will be 
covered while keeping the task within manageable proportions.  

Some sysadmins are understandably wary of using vanilla ie non-production 
kernels so this may lead to a greater uptake of grsec if a grsec-enhanced 
ready-rolled kernel is put up on appropriate repositories along side a 
ready-patched kernel.

This might lead to collaboration - and support - from either of these 
organisations and show them that there is a better alternative to the 
standard offering of (dare I say it) SEL.

On Tuesday 15 April 2008 02:07:46 Brad Spengler wrote:
> A new stable version of grsecurity has been released for the 2.4.36.2
> and 2.6.24.4 versions of the Linux kernel. This release is a maintenance
> release (due to the work required in porting such a large patchset to
(Continue reading)

Heiko Zuerker | 15 Apr 16:09 2008

Re: grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4


Quoting Brad Spengler <spender@...>:
> Due to Linux kernel developers continuing to silently fix exploitable
> bugs (in particular, trivially exploitable NULL ptr dereference bugs
> continue to be fixed without any mention of their security implications)
> we continue to suggest that the 2.6 kernels be avoided if possible.
>
> It is not clear if the PaX Team will be able to continue supporting
> future versions of the 2.6 kernels, given their rapid rate of release
> and the incredible amount of work that goes into porting such a
> low-level enhancement to the kernel (especially now in view of the
> reworking of the i386/x86-64 trees). It may be necessary that grsecurity
> instead track the Ubuntu LTS kernel so that users can have a stable
> kernel with up-to-date security fixes. I will update this page when a
> final decision has been reached.
>
> In the meantime, please email pageexec@... and let him know how
> much you appreciate the hard work he has put in for the past 8 years.
> The accomplishments of the PaX Team have extended far beyond just Linux,
> and have today found their way into all mainstream operating systems.

We all certainly do appreciate all the work you're putting into  
grsecurity and pax. It helps us achieve a level of security which  
wouldn't be possible otherwise.

It's going to be a problem for distros like Devil-Linux, if you use a  
kernel from a mainstream distro as the base for your patches. We're  
compiling everything from vanilla sources and certainly are not  
willing to use a bloated kernel from a mainstream distro as our base.

(Continue reading)

Carlos Carvalho | 16 Apr 04:54 2008
Picon

Re: grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

Brad Spengler (spender@...) wrote on 14 April 2008 21:07:
 >It is not clear if the PaX Team will be able to continue supporting 
 >future versions of the 2.6 kernels, given their rapid rate of release 
 >and the incredible amount of work that goes into porting such a 
 >low-level enhancement to the kernel (especially now in view of the 
 >reworking of the i386/x86-64 trees). It may be necessary that grsecurity 
 >instead track the Ubuntu LTS kernel so that users can have a stable 
 >kernel with up-to-date security fixes. I will update this page when a 
 >final decision has been reached.

This would be very inconvenient for those who don't run ubuntu, and
worse for those that compile their own kernels...

There are some releases that are meant to be stable and include fixes
(not only security ones), such as the one taken care of by Adrian
Bunk. I suggest you track one of these instead of a distribution's.
It'd have to be a release that has the unification of the i386/x86-64
trees though.
tibor.tolgyesi | 16 Apr 09:36 2008
Picon

Re: grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

Hi guys,

This might be a little off-topic. I don't know much about the history of grsec and pax, but if these patches
are really good things, then why not merge them in the official kernel source?

What is against this?

Regards,
Tibor Tölgyesi

-----Original Message-----
From: Carlos Carvalho [mailto:carlos@...] 
Sent: Wednesday, April 16, 2008 4:55 AM
To: grsecurity@...
Subject: Re: [grsec] grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

Brad Spengler (spender@...) wrote on 14 April 2008 21:07:
 >It is not clear if the PaX Team will be able to continue supporting 
 >future versions of the 2.6 kernels, given their rapid rate of release 
 >and the incredible amount of work that goes into porting such a 
 >low-level enhancement to the kernel (especially now in view of the 
 >reworking of the i386/x86-64 trees). It may be necessary that grsecurity 
 >instead track the Ubuntu LTS kernel so that users can have a stable 
 >kernel with up-to-date security fixes. I will update this page when a 
 >final decision has been reached.

This would be very inconvenient for those who don't run ubuntu, and
worse for those that compile their own kernels...

There are some releases that are meant to be stable and include fixes
(Continue reading)

bodik | 16 Apr 11:57 2008
Picon

Re: grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4

Carlos Carvalho wrote:
> Brad Spengler (spender@...) wrote on 14 April 2008 21:07:
>  >It is not clear if the PaX Team will be able to continue supporting 
>  >future versions of the 2.6 kernels, given their rapid rate of release 
>  >and the incredible amount of work that goes into porting such a 
>  >low-level enhancement to the kernel (especially now in view of the 
>  >reworking of the i386/x86-64 trees). It may be necessary that grsecurity 
>  >instead track the Ubuntu LTS kernel so that users can have a stable 
>  >kernel with up-to-date security fixes. I will update this page when a 
>  >final decision has been reached.
> 
> This would be very inconvenient for those who don't run ubuntu, and
> worse for those that compile their own kernels...

Hi,

at first, we (me and my collegues) very appreciate a work you have done
so far for linux kernel security. Thank you ... cause of YOUR work, we
are still winning every day fight with naughty students of our
university, who test any new kernel exploit on our servers instead of
researching in Matlab ;))

at second. I have to agree with Carlos, I'd rather like a patch with
fits with original vanilla kernel - it's more generic - more usefull. IMHO.

bodik

Gmane