El lun, 18-04-2005 a las 16:01 -0400, Rik van Riel escribió:
> On Mon, 18 Apr 2005, Lorenzo Hernández García-Hierro wrote:
>
> > Adding a "trusted user group"-like configuration option could be useful,
> > as it's done within grsecurity, among that the whole thing
it up so
anyone can decide what to apply and what shouldn't be applied.
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
nor I checked the CSETs).
Thanks for the advice,
Cheers.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
Thanks for the comments.
Cheers.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
e proc_misc
one.
I agree, btw. ;)
Adding a "trusted user group"-like configuration option could be useful,
as it's done within grsecurity, among that the whole thing might be good
to depend on a config. option, but that implies using weird ifdef's and
the other folks.
Cheers,
--
Lo
omize-infrastructure
The patch is also available at:
http://pearls.tuxedo-es.org/patches/security/tcp-rand_src-ports.patch
Signed-off-by: Lorenzo Hernandez Garcia-Hierro <[EMAIL PROTECTED]>
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9
is available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1.patch
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
diff -puN kernel/resource.c~proc-privacy-1 kernel/resource.c
--- linux-2.6
This patch changes the permissions of the procfs entry config.gz, thus,
non-root users are restricted from accessing it.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_configs.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
This patch changes the permissions of the procfs entry kallsyms, thus,
non-root users are restricted from accessing it.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_kallsyms.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
This patch changes the permissions of the /proc/net and /proc/bus
directory entries so non-root users are restricted from accessing them.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_root.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTEC
- /proc/modules
- /proc/schedstat
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_proc_misc.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
diff -puN fs/proc/proc_misc.c~pr
nged, 30 insertions(+), 21 deletions(-)
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
This patch restricts non-root users to view only their own processes.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_base.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es
This patch changes the permissions of the /proc/bus/pci directory entry,
so, non-root users are restricted of accessing it's content.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_drivers_pci_proc.c.patch
--
Lorenzo Hernández García-Hierro <[EMAIL PROTEC
, the limit for the new uid
could be exceed.
It comes from the Openwall kernel patch, as well implemented in
grSecurity and vSecurity.
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
+ !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+ goto out_file;
+ }
+
retval = init_new_context(current, bprm->mm);
if (retval < 0)
goto out_mm;
(CAP_SYS_ADMIN) !capable(CAP_SYS_RESOURCE)) {
+ goto out_file;
+ }
+
retval = init_new_context(current, bprm-mm);
if (retval 0)
goto out_mm;
_
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo
.
It comes from the Openwall kernel patch, as well implemented in
grSecurity and vSecurity.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
This patch changes the permissions of the /proc/bus/pci directory entry,
so, non-root users are restricted of accessing it's content.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_drivers_pci_proc.c.patch
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED
This patch restricts non-root users to view only their own processes.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_base.c.patch
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
diff -puN
(-)
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
- /proc/modules
- /proc/schedstat
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_proc_misc.c.patch
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
diff -puN fs/proc/proc_misc.c~proc-privacy-1
This patch changes the permissions of the /proc/net and /proc/bus
directory entries so non-root users are restricted from accessing them.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_fs_proc_root.c.patch
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED
This patch changes the permissions of the procfs entry kallsyms, thus,
non-root users are restricted from accessing it.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_kallsyms.c.patch
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D
This patch changes the permissions of the procfs entry config.gz, thus,
non-root users are restricted from accessing it.
It's also available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1_kernel_configs.c.patch
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D
is available at:
http://pearls.tuxedo-es.org/patches/security/proc-privacy-1.patch
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
diff -puN kernel/resource.c~proc-privacy-1 kernel/resource.c
--- linux-2.6.11/kernel/resource.c
The patch is also available at:
http://pearls.tuxedo-es.org/patches/security/tcp-rand_src-ports.patch
Signed-off-by: Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED]
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
When source
agree, btw. ;)
Adding a trusted user group-like configuration option could be useful,
as it's done within grsecurity, among that the whole thing might be good
to depend on a config. option, but that implies using weird ifdef's and
the other folks.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL
.
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
for the advice,
Cheers.
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
and what shouldn't be applied.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
El lun, 18-04-2005 a las 16:01 -0400, Rik van Riel escribió:
On Mon, 18 Apr 2005, Lorenzo Hernández García-Hierro wrote:
Adding a trusted user group-like configuration option could be useful,
as it's done within grsecurity, among that the whole thing might be good
to depend on a config
to say that
currently vsecurity is not prepared for the new API changes since
2.6.10, and this is on-going work for the 0.3 release (among many other
enhancements and changes).
http://cvs.tuxedo-es.org/cgi-bin/viewcvs.cgi/vsecurity/
Thanks for your attention,
Cheers.
--
Lorenzo Hernández García
to say that
currently vsecurity is not prepared for the new API changes since
2.6.10, and this is on-going work for the 0.3 release (among many other
enhancements and changes).
http://cvs.tuxedo-es.org/cgi-bin/viewcvs.cgi/vsecurity/
Thanks for your attention,
Cheers.
--
Lorenzo Hernández García
dr,
under the proper pid directory.
The whole thing is almost self-explaining by just looking at the code.
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
http://lkml.org/lkml/2005/3/10/108 and
http://pearls.tuxedo-es.org/patches/selinux-avc_audit-log-curr_ip.patch
if you want useful and real examples on how it works and helps.
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http:
OC_IPADDR */
+
rc = security_sid_to_context(ssid, , _len);
if (rc)
audit_log_format(ab, "ssid=%d", ssid);
_
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
= inet->daddr;
+ set->used_accept = 1;
+#endif
+ return;
+}
diff -puN net/Makefile~task-curr_ip net/Makefile
--- linux-2.6.11/net/Makefile~task-curr_ip 2005-03-10 14:56:13.981846568
+0100
+++ linux-2.6.11-lorenzo/net/Makefile 2005-03-10 14:56:14.054835472 +0100
@@ -4
-$(CONFIG_IP_SCTP) += sctp/
ifeq ($(CONFIG_NET),y)
obj-$(CONFIG_SYSCTL) += sysctl_net.o
endif
+
+ifeq ($(CONFIG_NET),y)
+obj-$(CONFIG_PROC_IPADDR) += proc_ipaddr.o
+endif
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo
, scontext, scontext_len);
if (rc)
audit_log_format(ab, ssid=%d, ssid);
_
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
://pearls.tuxedo-es.org/patches/selinux-avc_audit-log-curr_ip.patch
if you want useful and real examples on how it works and helps.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally
.
The whole thing is almost self-explaining by just looking at the code.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: This is a digitally signed message part
y possible confusion, again, sorry
for any inconveniences, wasn't my intention to create confusion around
Immunix.
At least from my side, I don't have fights nor bad relationships with
anybody from Immunix, but also I just know a very few people from there.
Cheers,
--
Lorenzo Hernández García-Hierr
El mié, 23-02-2005 a las 13:37 -0800, Crispin Cowan escribió:
> Lorenzo Hernández García-Hierro wrote:
> You are confused. It is Secure Computing Corporation that holds patents
> that threaten SELinux
> http://www.securecomputing.com/pdf/Statement_of_Assurance.pdf
>
>
El mié, 23-02-2005 a las 13:37 -0800, Crispin Cowan escribió:
Lorenzo Hernández García-Hierro wrote:
You are confused. It is Secure Computing Corporation that holds patents
that threaten SELinux
http://www.securecomputing.com/pdf/Statement_of_Assurance.pdf
Immunix has never threatened any
intention to create confusion around
Immunix.
At least from my side, I don't have fights nor bad relationships with
anybody from Immunix, but also I just know a very few people from there.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo
t applies to 2.6.11-rc4 tree, with latest mtd
tree included.
http://pearls.tuxedo-es.org/patches/mtd-jffs3-xattr-20050222-2.6.11-rc4.patch
(998Kb)
I would appreciate any collaboration and help with it.
Cheers, thanks in advance and enjoy (not working) it.
:)
--
Lorenzo Hernández García-Hierro
on't have time to make further checking, but seems to be somewhat
type of devices handling and IDR minor numbers allocation tracking
black magic, someone could have a further a look at it?
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22
,
as development documentation seems inexistent, among James Morris'
merged xattr consolidation code.
Thanks in advance,
Cheers.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?
,
as development documentation seems inexistent, among James Morris'
merged xattr consolidation code.
Thanks in advance,
Cheers.
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q
of devices handling and IDR minor numbers allocation tracking
black magic, someone could have a further a look at it?
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q
, with latest mtd
tree included.
http://pearls.tuxedo-es.org/patches/mtd-jffs3-xattr-20050222-2.6.11-rc4.patch
(998Kb)
I would appreciate any collaboration and help with it.
Cheers, thanks in advance and enjoy (not working) it.
:)
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC
mpanies are there to make money, not to provide public benefits.
> Sad, but true.
I can't disagree with this one, but sometimes licenses make companies
doing things they even don't like, which are of our own benefit.
> I appreciate you continued struggle against us thick headed developers
>
, but a really difficult one.
Cheers and many thanks for your comments,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
what-ever-else helper function to handle by-default
auditing in certain operations could be interesting.
I think it could be worthy to have a roadmap in a wiki or even talk
about a one, trying to write it, so, we all could know what needs to be
improved and done, getting a higher percentage of mainline-acce
be interesting.
I think it could be worthy to have a roadmap in a wiki or even talk
about a one, trying to write it, so, we all could know what needs to be
improved and done, getting a higher percentage of mainline-accepted
approaches.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED
others work.I don't mean that RSBAC folks didn't be, but we all
know that a lot of bad things were said around.We all do mistakes, is
matter of good intention and effort to don't make them again.
As a little disclaimer, just to say that I'm pretty new here so, maybe
I'm not the best one recall o
intention and effort to don't make them again.
As a little disclaimer, just to say that I'm pretty new here so, maybe
I'm not the best one recall on this, but at least I'm making use of my
rights to comment on it.
Amen or what-ever-else.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED
El mar, 08-02-2005 a las 16:15 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro ([EMAIL PROTECTED]) wrote:
> > As commented yesterday, I was going to release a few more hooks for some
> > *critical* syscalls, this one adds a hook to sys_chmod(), and makes us
&g
El mar, 08-02-2005 a las 16:15 -0800, Chris Wright escribió:
* Lorenzo Hernández García-Hierro ([EMAIL PROTECTED]) wrote:
As commented yesterday, I was going to release a few more hooks for some
*critical* syscalls, this one adds a hook to sys_chmod(), and makes us
able to apply checks
ould decide :)
An user of this will be, as commented in my past emails, vSecurity 0.2
release, and any other LSM module that wants to have control over
chmod()'ing.
I will make available another hook for sys_fchmod() ASAP.
Cheers and thanks in advance,
--
Lorenzo Hernández García-Hierro <
El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro ([EMAIL PROTECTED]) wrote:
> > Attached you can find a patch which adds a new hook for the sys_chroot()
> > syscall, and makes us able to add additional enforcing and security
>
El lun, 07-02-2005 a las 14:34 -0800, Chris Wright escribió:
* Lorenzo Hernández García-Hierro ([EMAIL PROTECTED]) wrote:
Attached you can find a patch which adds a new hook for the sys_chroot()
syscall, and makes us able to add additional enforcing and security
checks by using the Linux
decide :)
An user of this will be, as commented in my past emails, vSecurity 0.2
release, and any other LSM module that wants to have control over
chmod()'ing.
I will make available another hook for sys_fchmod() ASAP.
Cheers and thanks in advance,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED
process is chrooted using the current macro and
denying if capable() gets it trying to access CAP_SYS_CHROOT it's the
way that vSecurity currently does it.
But the hook will have to handle some chdir enforcing that can't be done
with current hooks, I will explain it further tomorrow.
It's too late here ;)
enzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
diff -Nur linux-2.6.11-rc3/fs/open.c linux-2.6.11-rc3.chroot-lsm/fs/open.c
--- linux-2.6.11-rc3/fs/open.c 2005-02-06 21:40:40.0 +0100
+++ linux-2.6.11-rc3.chroot-lsm/fs/open.c
to dislike.
Lemme know what's the final thought on this, so, I could work out it and
give what you want, without time loss and we all can feel happy with
it :)
Cheers and thanks for the comments,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
El lun, 07-02-2005 a las 11:12 -0800, Chris Wright escribió:
> * Lorenzo Hernández García-Hierro ([EMAIL PROTECTED]) wrote:
> > This patch adds two checks to do_follow_link() and sys_link(), for
> > prevent users to follow (untrusted) symlinks owned by other users in
> &
f users must rely on LSM or other external solutions for applying basic
security checks (as the framework itself only provides the way to apply
them, the checks need to be implemented in a module), then we are making
them unable to be protected using the "default" configuration.
Cheers,
-
, as the overhead is *minimal* (if there's any
overhead), because the modified functions get called only once when
following a symlink or creating a hardlink.
The patch can be also downloaded from:
http://pearls.tuxedo-es.org/patches/linking-protections-2.6.11-rc3.patch
Cheers,
--
Lorenzo Hernández
, as the overhead is *minimal* (if there's any
overhead), because the modified functions get called only once when
following a symlink or creating a hardlink.
The patch can be also downloaded from:
http://pearls.tuxedo-es.org/patches/linking-protections-2.6.11-rc3.patch
Cheers,
--
Lorenzo Hernández
(as the framework itself only provides the way to apply
them, the checks need to be implemented in a module), then we are making
them unable to be protected using the default configuration.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org
El lun, 07-02-2005 a las 11:12 -0800, Chris Wright escribió:
* Lorenzo Hernández García-Hierro ([EMAIL PROTECTED]) wrote:
This patch adds two checks to do_follow_link() and sys_link(), for
prevent users to follow (untrusted) symlinks owned by other users in
world-writable +t directories
,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
diff -Nur linux-2.6.11-rc3/fs/open.c linux-2.6.11-rc3.chroot-lsm/fs/open.c
--- linux-2.6.11-rc3/fs/open.c 2005-02-06 21:40:40.0 +0100
+++ linux-2.6.11-rc3.chroot-lsm/fs/open.c 2005-02-07 21:42
() gets it trying to access CAP_SYS_CHROOT it's the
way that vSecurity currently does it.
But the hook will have to handle some chdir enforcing that can't be done
with current hooks, I will explain it further tomorrow.
It's too late here ;)
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL
in mind even if he
didn't send split up patches for each feature, which I really don't
know).
I've just ported it out of grsecurity.
Thanks for your meaningful comments,
Cheers.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-e
didn't send split up patches for each feature, which I really don't
know).
I've just ported it out of grsecurity.
Thanks for your meaningful comments,
Cheers.
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description
nything you want to
comment about it before I start?
I will re-code it to put the helper functions in random.c.
Thanks in advance,
Cheers.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
o a sys_chroot()
hook that I requested yesterday on the bugzilla, among the SELinux 2.4
backport which needs several fixes due to last 2.6 bk-commits reports.
Thanks for the comments,
Cheers.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
.
Thanks in advance,
Cheers.
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
-commits reports.
Thanks for the comments,
Cheers.
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
s, and David B. Harris from OFTC (and whole OFTC staff)
for hosting my crap there :).
I hope this would be useful and interesting, and, again, I would
appreciate any feedback on it.
Thanks in advance, enjoy it.
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] &
dentation fixes.
The tests on the patch are the following ones:
http://www.osdl.org/plm-cgi/plm?module=patch_info_id=4136
(above one shows that there are no SMP-related issues)
http://khack.osdl.org/stp/300417
http://khack.osdl.org/stp/300420
Cheers and thanks for the information,
--
Lorenzo Hernánd
Hi,
Attached the new patch following Arjan's recommendations.
I'm sorry about not making it "inlined", but my mail agent messes up the
diffs if I do so.
Still waiting for the OSDL STP tests results, they will take a while to
finish.
Cheers,
--
Lorenzo Hernández García-Hierro <[EM
3. Choose test to run Scalable Test Platform (STP)
> http://osdl.org/lab_activities/kernel_testing/stp/
OK, many thanks.
Haven't noticed that (maybe 'cos I'm new in kernel hacking ;) )
I will submit there the new patch ASAP.
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]&
o, there's no point at that claim.
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
El vie, 28-01-2005 a las 19:07 +0100, Arjan van de Ven escribió:
> On Fri, 2005-01-28 at 18:17 +0100, Lorenzo Hernández García-Hierro
> wrote:
> > Hi,
> >
> > Attached you can find a split up patch ported from grSecurity [1], as
> > Linus commented that he woul
levels of security based on config options.
> Think of a distro vendor, do they ship the fast or the secure system??
>
> As always:
> * Send networking stuff to netdev@oss.sgi.com
Added to CC list.
> * Please split up patches.
If you talk about removing the pool sizes increasing, t
El vie, 28-01-2005 a las 18:40 +0100, Adrian Bunk escribió:
> On Fri, Jan 28, 2005 at 06:17:17PM +0100, Lorenzo Hernández García-Hierro
> wrote:
> >...
> > As it's impact is minimal (in performance and development/maintenance
> > terms), I recommend to merge it, as it
[1]: http://www.grsecurity.net
[2]: http://en.wikipedia.org/wiki/Pseudorandom_number_generator
Cheers,
--
Lorenzo Hernández García-Hierro <[EMAIL PROTECTED]>
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]
diff -Nur linux-2.6.11-rc2/crypto/Kconfig linux-2.6.11-rc2.tx1/crypto/Kconfig
://www.grsecurity.net
[2]: http://en.wikipedia.org/wiki/Pseudorandom_number_generator
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
diff -Nur linux-2.6.11-rc2/crypto/Kconfig linux-2.6.11-rc2.tx1/crypto/Kconfig
--- linux-2.6.11-rc2/crypto
El vie, 28-01-2005 a las 18:40 +0100, Adrian Bunk escribió:
On Fri, Jan 28, 2005 at 06:17:17PM +0100, Lorenzo Hernández García-Hierro
wrote:
...
As it's impact is minimal (in performance and development/maintenance
terms), I recommend to merge it, as it gives a basic prevention
it,
but i would like to know if this has any chances to get merged.
[1]: http://lkml.org/lkml/2005/1/28/139
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1
El vie, 28-01-2005 a las 19:07 +0100, Arjan van de Ven escribió:
On Fri, 2005-01-28 at 18:17 +0100, Lorenzo Hernández García-Hierro
wrote:
Hi,
Attached you can find a split up patch ported from grSecurity [1], as
Linus commented that he wouldn't get a whole-sale patch, I was working
Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org]
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente
)
http://osdl.org/lab_activities/kernel_testing/stp/
OK, many thanks.
Haven't noticed that (maybe 'cos I'm new in kernel hacking ;) )
I will submit there the new patch ASAP.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED]
[1024D/6F2B2DEC] [2048g/9AE91A22][http://tuxedo-es.org
Hi,
Attached the new patch following Arjan's recommendations.
I'm sorry about not making it inlined, but my mail agent messes up the
diffs if I do so.
Still waiting for the OSDL STP tests results, they will take a while to
finish.
Cheers,
--
Lorenzo Hernández García-Hierro [EMAIL PROTECTED
.
The tests on the patch are the following ones:
http://www.osdl.org/plm-cgi/plm?module=patch_infopatch_id=4136
(above one shows that there are no SMP-related issues)
http://khack.osdl.org/stp/300417
http://khack.osdl.org/stp/300420
Cheers and thanks for the information,
--
Lorenzo Hernández García
El mié, 19-01-2005 a las 09:27 +0100, Arjan van de Ven escribió:
> On Tue, 2005-01-18 at 23:55 +0100, Lorenzo Hernández García-Hierro
> wrote:
> > Also, maybe an ExecShield specific test (see [1] and [2]) and possibly a
> > few other tests related with BSD Jails.
>
> >
1 - 100 of 107 matches
Mail list logo