[gentoo-dev] Gentoo Grsecurity Poll

[gentoo-dev] Gentoo Grsecurity Poll

[Ned Ludd]

Gentoo Linux includes support for grsecurity in nearly every kernel that
we have. Unfortunately the patch level is not always as up2date as Brad's
code due to the many other patches that are included, however what I'm
wondering here is do the Gentoo users want the option of merging a
vanilla-kernel with just "one" patch applied. It would be called
grsecurity-sources. I would like to use the grsec2 series for this so we
can help Brad debug and get it to a stable level.

Comments, suggestions and feedback are welcome.

PS: grsec is also used on our production servers, sourceforge also uses
grsec in a production environment.

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Stuart Herbert]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 707 bytes --]

On Wednesday 06 August 2003 11:48 pm, Ned Ludd wrote:
> the Gentoo users want the option of merging a
> vanilla-kernel with just "one" patch applied. It would be called
> grsecurity-sources. I would like to use the grsec2 series for this so we
> can help Brad debug and get it to a stable level.

Yes.

Best regards,
Stu
-- 
Stuart Herbert                                              stuart@gentoo.org
Gentoo Developer                                       http://www.gentoo.org/
Beta packages for download            http://dev.gentoo.org/~stuart/packages/

GnuGP key id# F9AFC57C available from http://pgp.mit.edu
Key fingerprint = 31FB 50D4 1F88 E227 F319  C549 0C2F 80BA F9AF C57C
--

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Mike Frysinger]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1146 bytes --]

On Wednesday 06 August 2003 18:48, Ned Ludd wrote:
> Gentoo Linux includes support for grsecurity in nearly every kernel that
> we have. Unfortunately the patch level is not always as up2date as Brad's
> code due to the many other patches that are included, however what I'm
> wondering here is do the Gentoo users want the option of merging a
> vanilla-kernel with just "one" patch applied. It would be called
> grsecurity-sources. I would like to use the grsec2 series for this so we
> can help Brad debug and get it to a stable level.
>
> Comments, suggestions and feedback are welcome.
>
> PS: grsec is also used on our production servers, sourceforge also uses
> grsec in a production environment.

i would be all for it ...
i dont use any of the kernels in sys-kernels for a variety of reasons ... but 
one kernel that i use in many places (routers/servers/etc...) is a hand 
rolled vanilla kernel with just the grsec patch ...
in other words, i would utilize this new kern on my boxes :)
it would also be pretty sweet to have up-to-date support for grsec ... brad 
has done amazing things with his latest code.
-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 400 bytes --]

On Wed, 2003-08-06 at 18:48, Ned Ludd wrote:
> Comments, suggestions and feedback are welcome.

I use grsec on every machine that I own and have been doing so for quite
some time.  I love it.  I would definitely use a grsecurity-sources,
especially since right now most of my machines are running
vanilla-sources hand patched with grsecurity.

-- 
Chris Gianelloni
Developer, Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Michael Cummings]

On Thu, Aug 07, 2003 at 08:46:46AM -0400, Chris Gianelloni wrote:
> On Wed, 2003-08-06 at 18:48, Ned Ludd wrote:
> > Comments, suggestions and feedback are welcome.
> 
Perhaps a silly question, but why are patches rolled as their own kernels at
all? Seems to my little brain (yes, it's real small when it comes to these
matters) that it would almost make more sense to offer the vanilla kernel as
is, then have each of these (currently their own ebuilds) patches as add on
ebuilds, such as emerge vanillia-kernel, emerge grsecurity-patch, emerge
nvidia-patch, etc. After all, it's not like the ebuild for the kernel
compiles it in the first place, and as far as I know these patches
add/replace to the existing structure, right? Just a random thought, feel
free to ignore :)


-- 


-----o()o---------------------------------------------
              |  http://www.gentoo.org/
              |  #gentoo-dev  on irc.freenode.net
Gentoo Dev    |  #gentoo-perl on irc.freenode.net
Perl Guy      |
              |  GnuPG Key ID:       AB5CED4E9E7F4E2E
-----o()o---------------------------------------------


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Markus Nigbur]

On Thu, 7 Aug 2003 09:02:03 -0400
Michael Cummings <mcummings@gentoo.org> wrote:

> On Thu, Aug 07, 2003 at 08:46:46AM -0400, Chris Gianelloni wrote:
> > On Wed, 2003-08-06 at 18:48, Ned Ludd wrote:
> > > Comments, suggestions and feedback are welcome.
> > 
> Perhaps a silly question, but why are patches rolled as their own kernels at
> all? Seems to my little brain (yes, it's real small when it comes to these
> matters) that it would almost make more sense to offer the vanilla kernel as
> is, then have each of these (currently their own ebuilds) patches as add on
> ebuilds, such as emerge vanillia-kernel, emerge grsecurity-patch, emerge
> nvidia-patch, etc. After all, it's not like the ebuild for the kernel
> compiles it in the first place, and as far as I know these patches
> add/replace to the existing structure, right? Just a random thought, feel
> free to ignore :)

we had a discussion about this on bugzilla with ck-sources 2.4.21.
it would be nice to introduce some local flags for the kernel patches.
Bug #22822

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Spider]

[-- Attachment #1: Type: text/plain, Size: 693 bytes --]

begin  quote
On Thu, 7 Aug 2003 09:02:03 -0400
Michael Cummings <mcummings@gentoo.org> wrote:

> patches as add on ebuilds, such as emerge vanillia-kernel,
> emerge grsecurity-patch, emerge nvidia-patch, etc. 


That would make it far more difficult to separate the patches (some
patches poverlap and make bad things happen, some things need to be
reworked to work with different patches)  and the fact that its a bit of
policy to not have multiple packages mess with the same files on the
disk. (if they do thats a bug in my opinion)


//Spider

-- 
begin  .signature
This is a .signature virus! Please copy me into your .signature!
See Microsoft KB Article Q265230 for more information.
end

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1350 bytes --]

On Thu, 2003-08-07 at 09:02, Michael Cummings wrote:
> Perhaps a silly question, but why are patches rolled as their own kernels at
> all? Seems to my little brain (yes, it's real small when it comes to these
> matters) that it would almost make more sense to offer the vanilla kernel as
> is, then have each of these (currently their own ebuilds) patches as add on
> ebuilds, such as emerge vanillia-kernel, emerge grsecurity-patch, emerge
> nvidia-patch, etc. After all, it's not like the ebuild for the kernel
> compiles it in the first place, and as far as I know these patches
> add/replace to the existing structure, right? Just a random thought, feel
> free to ignore :)

The only problem with that is that in the case of the gentoo-sources,
there are hundreds of patches applied, which have to be tested and
modified to allow them all to work together.  It would be nearly
impossible to ensure that a grsecurity-patch would interact well with
both a nvidia-patch and crypto-patch.  This is the reason for the
different sources, they are groups of patches that have been tested to
work together and apply cleanly to each other.  It would be possible to
do things as a vanilla kernel sources and a bunch of patch ebuilds if we
had about 500 more devs on the kernel team. ;p

-- 
Chris Gianelloni
Developer, Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Gentoo Grsecurity Poll

[Stephen Clowater]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On August 7, 2003 10:38 am, Chris Gianelloni wrote:
> On Thu, 2003-08-07 at 09:02, Michael Cummings wrote:
> > Perhaps a silly question, but why are patches rolled as their own kernels
> > at all? Seems to my little brain (yes, it's real small when it comes to
> > these matters) that it would almost make more sense to offer the vanilla
> > kernel as is, then have each of these (currently their own ebuilds)
> > patches as add on ebuilds, such as emerge vanillia-kernel, emerge
> > grsecurity-patch, emerge nvidia-patch, etc. After all, it's not like the
> > ebuild for the kernel compiles it in the first place, and as far as I
> > know these patches add/replace to the existing structure, right? Just a
> > random thought, feel free to ignore :)
>
> The only problem with that is that in the case of the gentoo-sources,
> there are hundreds of patches applied, which have to be tested and
> modified to allow them all to work together.  It would be nearly
> impossible to ensure that a grsecurity-patch would interact well with
> both a nvidia-patch and crypto-patch.  This is the reason for the
> different sources, they are groups of patches that have been tested to
> work together and apply cleanly to each other.  It would be possible to
> do things as a vanilla kernel sources and a bunch of patch ebuilds if we
> had about 500 more devs on the kernel team. ;p

I have to agree here. Before using gentoo I use to maintain a almost identical 
kernel for production enviornments as gentoo-sources. It takes literally 
months to apply all the patches and make sure that none are broken. And often 
some of the patches arnt broken per say, however, when they are interacting 
with other patches like grsecurity or POSIX acl patchs they start to break. 
Crypto-api is a good example, I have found that it frequently gets mad at 
grsecurty and POSIX stuff. Hacking up the makefiles usally fixes some of 
this, however, on some systems I've found the kernel would still panic for 
seemingly no reason (on the 2.4.18, since then I've been using gentoo who are 
sweet enough to do the maintaing for me :)). So gentoo-sources, 
hardened-sources, and other kernel flavors in portage are very appropriately 
in thier own place.

Try applying grsecurity, crypto-api, POSIX fine grained acls, to the same 
kernel to give you a better idea what these people are going through :)

Steve

- -- 
- -

******************************************************************************
Stephen Clowater

If you're happy, you're successful.

The 3 case C++ function to determine the meaning of life:

char *meaingOfLife(){

#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? 
                                                      /dev/null:/dev/random);
#endif

#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif

#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif

return Meaning_of_your_life;

}

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/Ml/ecyHa6bMWAzYRAvHBAKCQwmKUeJxiDHJo9nlbA+Rnu9sBBACfS4dc
MlSOHjFmsM3dJKCycllvo8c=
=+bnB
-----END PGP SIGNATURE-----


--
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: [grsec] Gentoo Grsecurity Poll

[Ned Ludd]

Brad, 

Thanks for responding your blessing was the one I wanted to see the most
before jumping into this. We got a fair amount of feedback from various
people using both grsec1 & grsec2 and everybody was for a pure grsec
only kernel. 

To meet the needs of everybody my initial plan will be to add both
2.4.21.1.9.11 and 2.4.21.2.0_rc2 unless you have an _rc3 planned for 2.0
in the next few days and then removing 1.9 when you deem 2.0 as stable.

Supported arches will be x86, sparc, sparc64, alpha, parisc, and ppc

On Fri, 2003-08-08 at 13:21, spender@grsecurity.net wrote:
> On Wed, Aug 06, 2003 at 06:48:36PM -0400, Ned Ludd wrote:
> > 
> > Gentoo Linux includes support for grsecurity in nearly every kernel that
> > we have. Unfortunately the patch level is not always as up2date as Brad's
> > code due to the many other patches that are included, however what I'm
> > wondering here is do the Gentoo users want the option of merging a
> > vanilla-kernel with just "one" patch applied. It would be called
> > grsecurity-sources. I would like to use the grsec2 series for this so we
> > can help Brad debug and get it to a stable level.
> 
> I would definitely like this.  I could give them official stampings 
> then.  This weekend I might throw some packages of current cvs of grsec 
> and gradm up on the website.  I'd like to get a group of people together 
> so that for every release I can offer some packages in different formats 
> of grsecurity and gradm.  I'd also like to have a package that would 
> work on most ide-based servers that wouldn't have module support and 
> thus would have KERNEXEC enabled.
> 
> -Brad
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux Developer (Hardened)


--
gentoo-dev@gentoo.org mailing list