El 16/06/10 11:26, Pavel Labushev escribió:
> I think GRKERNSEC_BRUTE deserves a bit more explaination, as long as in
> some (most?) cases it seems to be the single little trick that prevents
> preforked apps to be eventually owned with no regard to ASLR, especially
> on x86.
>   
Updated the explanation a bit, I hope you find it more appropriate.
> Also, maybe a reader should be advised to develop a policy to
> autorestart preforked apps when the relevant records appear in the grsec
> log? They are "Segmentation fault" and "Illegal instruction". And maybe
> it deserves to be mentioned that SIGSEGV does not trigger the fork()
> delay, so the autorestart policy which takes frequent SIGSEGV log
> messages into account is a right thing.
>   
Updated that too, I also commented that a small edit of the patch could
also be valid to add the SIGSEGV signal to those controlled.
> Btw, it's not "some delays" but the 30 seconds hardcoded in
> grsecurity/grsec_sig.c.
>   
Added also, I wrote some delays to make it more generic and easily
accessible though I see that stating the delay helps a lot to see which
are the consequences if the bug is triggered.

Thanks for your comments :D

El 13/06/10 15:30, ascii escribió:
> seems nice to me, consider contacting someone @
> http://www.gentoo.org/proj/en/gdp/index.xml
>   
Well I won't mind converting the doc to GuideXML if this document is
interesting. All I need is a go ahead from someone on the Hardened team.
> perhaps you'll also like this project
>
> http://lollobox.org/
>   
Seems cool, but a bit left over (also I don't currently own a working
laptop) :/ It's a pity how most securization projects end up dying
because people think great technical skills are needed to contribute.