Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 8 Aug 2012 15:02:41 +0400
From: Vasily Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: segoon's report #15

Solar,

On Wed, Aug 08, 2012 at 10:39 +0400, Solar Designer wrote:
> > Priorities:
> > - Discuss what PaX features we want to see in Owl kernel.
> > - Discuss whether we need sysfs hardening and log spoofing protection in
> >   Owl kernel.
> > - Port confirmed patches to Owl kernel after owl-dev discussions.
> 
> Does this mean you're done with all other kernel hardening changes you
> wanted to make this summer?
> 

Going though the list at Owl wiki:

Ported:
BINFMT_ELF_AOUT (cleanup) 
HARDEN_STACK 
HARDEN_VM86 
HARDEN_PROC 
HARDEN_RLIMIT_NPROC 
ASCII-Armor 
32/64-bit restrictions in containers 

TODO:
log spoofing protection 
SYSFS_RESTRICT 
PAX_USERCOPY 
PAX_REFCOUNT 

Etc.:

HARDEN_SHM - the patch is backported into RHEL 6.3.  RHEL 6.3 update is
included into the latest 059.7 patch.  I haven't rebased to 059.7 yet,
but I'll do it before actual committing into Owl CVS.

HARDEN_LINK and HARDEN_FIFO - Kees' version of these things are already
merged into Linus' tree.  I think we should wait a bit (week?) and after
that pick the patch into Owl kernel (just to merge it with all bugfixed
which are done this week).


> When are we getting the kernel update to RHEL6'ish into Owl?

The kernel itself looks ready for update.  It needs only other packages'
fixes, which I've already committed.


> When are we updating glibc?

I think we can do it just after kernel update.  If you have something in
mind why glibc update is needed before any kernel hardening patches
porting, I can switch to glibc update.  IIRC, I've done most of update
work needed for buildworld ability, but haven't ported all Owl hardening
patches from 2.3.6.

Preparing all these patches might take some time from me, when I don't
need your attention at all.


-- 
Vasily

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ