Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hello Mr Hutchings Thanks for the explanation of several important issues. It is really good that Debian is, finally, taking security seriously. I mean for example, hardening flags, several compile-time options etc. One of the Wheezy release goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags, right? It is amazing, really amazing. Oh, when you're done this blog, please give a link/address. Good Luck! Okay, I reached the end of my message. I have to wish you - and of course all users on this mailing list - Merry Christmas and a Happy New Year! ;-) Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
On Sun, 2012-12-23 at 17:26 +0100, daniel curtis wrote: Hello Mr Hutchings Thanks for the explanation of several important issues. It is really good that Debian is, finally, taking security seriously. I mean for example, hardening flags, several compile-time options etc. One of the Wheezy release goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags, right? It is amazing, really amazing. Oh, when you're done this blog, please give a link/address. Good Luck! http://womble.decadent.org.uk/blog/whats-in-the-linux-kernel-for-debian-70-wheezy-part-1.html Okay, I reached the end of my message. I have to wish you - and of course all users on this mailing list - Merry Christmas and a Happy New Year! ;-) Best regards! Same to you. Ben. -- Ben Hutchings One of the nice things about standards is that there are so many of them. signature.asc Description: This is a digitally signed message part
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi Your technical blog looks very interesting. Thank You for your blog and maintaining the 3.2 stable series. Best regards.
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, You have written that the sysctl kernel.modules_disabled=1 option is available. I know that, but with cryptographically signed modules the kernel can check the signature and refuse to load any module that can't be verified. Whether this sysctl option offers something similar? By writing, that symlink and hardlink restrictions are already backported and enabled by default in the Debian package, You mean a kernel package, right? Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
On Fri, 2012-12-21 at 12:45 +0100, daniel curtis wrote: Hi, You have written that the sysctl kernel.modules_disabled=1 option is available. I know that, but with cryptographically signed modules the kernel can check the signature and refuse to load any module that can't be verified. Whether this sysctl option offers something similar? It's even more secure! :-) By writing, that symlink and hardlink restrictions are already backported and enabled by default in the Debian package, You mean a kernel package, right? Yes, the Debian package of the Linux kernel, that's what we talk about here... Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
Hi Mr Hutchings, Could you explain, in short, why it is more secure? It seems, that cryptographically signed modules are something... don't know, more secure, *because before loading the module, the kernel can check the signature and refuse to load any that can't be verified.* ;-) symlink and hardlink protection also applies to the 2.6.32-5 kernel or it is backported only to the 3.2 version? Both protection seems to be implemented some time ago, right? I mean patch for kernel (not only Debian). I have to apologize for such naive questions, but I started to using Debian a couple of weeks ago and I want to know something more about Project, Debian and everything related etc. One more thing; Is there any website where I can to find any informations about patches, changes backported, for example, from PAX/Grsecurity projects to the Debian kernel - 2.6.32 and 3.2? Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
On Fri, 2012-12-21 at 17:48 +0100, daniel curtis wrote: Hi Mr Hutchings, Could you explain, in short, why it is more secure? It seems, that cryptographically signed modules are something... don't know, more secure, because before loading the module, the kernel can check the signature and refuse to load any that can't be verified. ;-) I suppose you're right. If an attacker can overwrite modules but not the kernel image, and they can force a reboot, then a signature check will prevent the modified modules being loaded whereas setting kernel.modules_disabled=1 during the boot process will not. symlink and hardlink protection also applies to the 2.6.32-5 kernel or it is backported only to the 3.2 version? Both protection seems to be implemented some time ago, right? I mean patch for kernel (not only Debian). Only for 3.2. I have to apologize for such naive questions, but I started to using Debian a couple of weeks ago and I want to know something more about Project, Debian and everything related etc. One more thing; Is there any website where I can to find any informations about patches, changes backported, for example, from PAX/Grsecurity projects to the Debian kernel - 2.6.32 and 3.2? I don't think there's any summary of that, though I am intending to write a blog entry along these lines for the wheezy release (based on 3.2). Ben. -- Ben Hutchings Make three consecutive correct guesses and you will be considered an expert. signature.asc Description: This is a digitally signed message part
Linux 3.2: backports some features from mainline kernel (3.7)?
Hi, I already asked this question on debian-security@ mailing list, but Mr Cyril Brulebois suggested, that a better place to ask this question is a debian-kernel@ mailing list. It is pretty the same question - just copied. Kernel 3.7 is officially out. This Linux release includes many improvements practically in every aspect. Many changes also concerns security. Very interesting are: Cryptographically-signed kernel modules and - long awaited - symlink and hardlink restrictions (already in Linux 3.6), but it broke some programs, so it has been disabled by default, right? Those features/changes are very interesting from security point of view. With signed kernel modules, various distributions can lock down their kernels. symlink and hardlink are just a long-standing, much needed class of security. I would like to ask, if some of 3.7 kernel features (such as those mentioned) will be backported to Testing kernel (3.2)? I know Wheezy has now been frozen and in consequences this means that no more new features will be added etc. But there is still some time to official release and those features, could be tested very well. Are there any plans to do this? Best regards!
Re: Linux 3.2: backports some features from mainline kernel (3.7)?
On Thu, Dec 20, 2012 at 03:46:14PM +0100, daniel curtis wrote: Hi, I already asked this question on debian-security@ mailing list, but Mr Cyril Brulebois suggested, that a better place to ask this question is a debian-kernel@ mailing list. It is pretty the same question - just copied. Kernel 3.7 is officially out. This Linux release includes many improvements practically in every aspect. Many changes also concerns security. Very interesting are: Cryptographically-signed kernel modules This seems to be too big a change to make now. And there is already 'sysctl kernel.modules_disabled=1'. That provides the same or greater security, though it is not as convenient (you have to load all the modules you may need first). and - long awaited - symlink and hardlink restrictions (already in Linux 3.6), but it broke some programs, so it has been disabled by default, right? [...] Already backported and enabled by default in the Debian package. Ben. -- Ben Hutchings We get into the habit of living before acquiring the habit of thinking. - Albert Camus -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20121220175906.gq13...@decadent.org.uk
