*BUG REPORTED* support for grsecurity-patched kernels? [message #13434] |
Sat, 26 May 2007 19:22 |
eliast
Messages: 10 Registered: May 2007
|
Junior Member |
|
|
Hy all. Is there a possibility of official support for grsecurity (http://grsecurity.net) patched kerenls in openvz's patch? I'm usually manually modifying the patches to fit grsec based kernels, but sometimes I have kernel panics on the test system (eg.: when I turn on pax features). I'm pretty sure, that it is because I do semantic correction only on the patches to make it work with grsecurity enabled kernel.
[Updated on: Tue, 29 May 2007 10:40] by Moderator Report message to a moderator
|
|
|
|
|
|
Re: support for grsecurity-patched kernels? [message #13495 is a reply to message #13478] |
Mon, 28 May 2007 11:33 |
eliast
Messages: 10 Registered: May 2007
|
Junior Member |
|
|
Simply, I use all the features that grsecurity offers, and I also think that building secure linux servers without the PAX protection is closely impossible.
I use trusted path execution, kernel process hiding, and all features of chroot jail restriction, also /proc restrictions, dmesg restrictions and executables resource limits. Also when using chroot restrictions I always setup the executables with chpax, so denying processes to load shared segments and other stuff if they do not need to. (For example preventing apache to load modules I do not want to...). Also using socket restrictions, for example for running apache, and client sockets are denied for apache, it makes it impossible to use for example in php to cnnect to remote smtp servers and using spam activity.
I belive, all PAX features, like Adress Space Randomization and sanitizing all freed memory makes it even harder to compromise the server. Especially when you have dosens of shell accounts. (For this I'm using chrooted shell accounts, and I'm planning to move to openvz, (XEN needs a modular kernel and some other things that it is not yet useable for me...) but I really miss grsec features and pax.)
Also I could patch openvz patched 2.6.20 kernel with grsec, and successfully using most features, since the patch needed only semantic correction (the line numbers did not match), but in case of PAX the memory protection stuff needs to be revised by a developer, since when I check it, the kernel would not compile, or if it is, it is segfaulting.
|
|
|
|
Re: support for grsecurity-patched kernels? [message #13524 is a reply to message #13496] |
Tue, 29 May 2007 09:01 |
eliast
Messages: 10 Registered: May 2007
|
Junior Member |
|
|
okay, I'll do that. PAX is a more mature and offering more protection than ExecShield I belive, and I do not use RH kernels, since I use debian.
Hope, grsecurity support will be implemented in a timely manner, since there are quite lot of forum topics on grsecurity's forum, on the same topic, and there are already various successfull implementations for older kernels.
But these unrelieable hacks cannot be applied in real environments. I would be happy with an official support. It will greatly improve openvz's security on many ways, I'm extremely sure. (Lot of ppl waiting this development...)
|
|
|