Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hello Mr Hutchings Thanks for the explanation of several important issues. It is really good that Debian is, finally, taking security seriously. I mean for example, hardening flags, several compile-time options etc. One of the Wheezy release goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags, right? It is amazing, really amazing. Oh, when you're done this blog, please give a link/address. Good Luck! Okay, I reached the end of my message. I have to wish you - and of course all users on this mailing list - Merry Christmas and a Happy New Year! ;-) Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi Your technical blog looks very interesting. Thank You for your blog and maintaining the 3.2 stable series. Best regards.
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, You have written that the sysctl kernel.modules_disabled=1 option is available. I know that, but with cryptographically signed modules the kernel can check the signature and refuse to load any module that can't be verified. Whether this sysctl option offers something similar? By writing, that symlink and hardlink restrictions are already backported and enabled by default in the Debian package, You mean a kernel package, right? Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi Mr Hutchings, Could you explain, in short, why it is more secure? It seems, that cryptographically signed modules are something... don't know, more secure, *because before loading the module, the kernel can check the signature and refuse to load any that can't be verified.* ;-) symlink and hardlink protection also applies to the 2.6.32-5 kernel or it is backported only to the 3.2 version? Both protection seems to be implemented some time ago, right? I mean patch for kernel (not only Debian). I have to apologize for such naive questions, but I started to using Debian a couple of weeks ago and I want to know something more about Project, Debian and everything related etc. One more thing; Is there any website where I can to find any informations about patches, changes backported, for example, from PAX/Grsecurity projects to the Debian kernel - 2.6.32 and 3.2? Best regards!
Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, I already asked this question on debian-security@ mailing list, but Mr Cyril Brulebois suggested, that a better place to ask this question is a debian-kernel@ mailing list. It is pretty the same question - just copied. Kernel 3.7 is officially out. This Linux release includes many improvements practically in every aspect. Many changes also concerns security. Very interesting are: Cryptographically-signed kernel modules and - long awaited - symlink and hardlink restrictions (already in Linux 3.6), but it broke some programs, so it has been disabled by default, right? Those features/changes are very interesting from security point of view. With signed kernel modules, various distributions can lock down their kernels. symlink and hardlink are just a long-standing, much needed class of security. I would like to ask, if some of 3.7 kernel features (such as those mentioned) will be backported to Testing kernel (3.2)? I know Wheezy has now been frozen and in consequences this means that no more new features will be added etc. But there is still some time to official release and those features, could be tested very well. Are there any plans to do this? Best regards!
