Re: security patches / lsm

From: Valdis . Kletnieks
Date: Wed Jun 09 2004 - 11:31:13 EST

Next message: Jörn Engel: "Re: [STACK] >3k call path in ide"
Previous message: Mark Gross: "Re: swsusp "not enough swap space" 2.6.5-mm6."
In reply to: Olaf Hering: "Re: security patches / lsm"
Next in thread: Greg KH: "Re: security patches / lsm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 09 Jun 2004 13:46:15 +0200, Nico Schottelius said:

> I heard about that, but I wanted to know whether this statement is still
> true. I think with grsecurity you get a great security enhanced kernel.

grsecurity is also an incredibly intrusive patch, and as of last week Brad
Spendler was dropping continuing support due to time/financial issues.

The Grsecurity stuff breaks down into several pieces:

1) The PaX stuff, which is more intrusive than the RedHat exec-shield patch
and doesn't buy us an obviously higher level of security - the major thing that
PaX does that exec-shield doesn't is prevent calling mprotect() on a previously
writable page to make it executable. Note that mprotect() can be handled via
an LSM exit as well, so that's an alternate route to take. Note that the PaX
stuff requires a patch to binutils and recompiling/relinking everything to take
full advantage of it (OK, exec-shield does as well, but has the advantage that
the GNU_PT_STACK stuff has already been pushed upstream). Either way,
we still have the Wine problem... ;)

2) For better or worse, SELinux and LSM are already in the base kernel, so
Brad's ACL stuff is a duplication of effort. Feel free to drag that along
yourself, but any percieved benefit of Brad's ACL system is outweighted (in
my book at least) by the fact that SELinux is being actively worked into
things like Fedora, Suse, and Debian.

3) A bunch of things like hardening /tmp symlinks and chroot jails, which
are just as doable via an LSM module - I posted a "first cut" a while back,
and I'll probably put out another one very shortly that incorporates all the
helpful feedback I got over on the SELinux and LSM lists (Thanks, guys! ;)

4) When I looked at it, the remainder was basically just PID randomization
and some network randomization tweaks (again, I posted a first-cut, and will
probably post another shortly incorporating suggestions I got).

That's my take on it, for what it's worth...

Attachment: pgp00000.pgp
Description: PGP signature

Next message: Jörn Engel: "Re: [STACK] >3k call path in ide"
Previous message: Mark Gross: "Re: swsusp "not enough swap space" 2.6.5-mm6."
In reply to: Olaf Hering: "Re: security patches / lsm"
Next in thread: Greg KH: "Re: security patches / lsm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]