Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Mar 2011 00:20:22 +0100
From: Piotr Meyer <aniou@...tek.pl>
To: owl-dev@...ts.openwall.com
Subject: Re: VLANs in Owl way?

On Wed, Mar 09, 2011 at 11:43:16PM +0300, Vasiliy Kulikov wrote:
 
> On Mon, Mar 07, 2011 at 09:18 +0100, Piotr Meyer wrote:
> > only 'is_available' needs some 
> > work (can we rely on  sysfs on /sys presence?).
> 
> That's an open issue :-)  There is some danger in mounting /sys by
> default.  Permissions of some sysfs files were too restricted not long
> ago:

That version was taken from Fedora 14. Older implementations (RHEL4 and 5) 
don't relies on sysfs:

http://pastebin.com/DYBU9KXB  (RHEL4.4)
http://pastebin.com/BcFAujTy  (RHEL5.5)

BTW about is_available() function: from my point of view this function
does too much: not only checks availability of device, but also loads
firmware/modules for physical devices and renames them, if necessary. 

IMVHO is_available() should be limited to lines 1-17 (and, maybe 22-28
but without renaming) of RHEL5 version. Mixing "checking" and "doing" 
in one place isn't good and admin should create necessary devices
without "magic" scripts.
 
> One little problem with the script is that it uses "ip link add type
> vlan", it is not supported by our old iproute ;)  

This isn't necessary, I hope: older version uses simply vconfig to
creating vlans: http://pastebin.com/GGJR8W30 (from RHEL5.5).

> We're planning to
> upgrade iproute after toolchain upgrade.

With gcc4? I played a little in NetBSD with things like ASLR or gcc stack 
smashing protections and I'm curious what Owl can do with this. Yes, I'm
aware about performance drop but there are many "fast" distros and I want 
secure one. 

PS: Handy table for current RHEL's features:
    http://www.awe.com/mark/blog/20101130.html

-- 
Piotr 'aniou' Meyer

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ