Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Aug 2012 22:16:20 +0400
From: Vasily Kulikov <segoon@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: segoon's report #16

Hi,

Accomplishments:
- rebased Owl patch to RHEL 6.3'ish kernel, which now includes HARDEN_SHM.
- backported from upstream protected_{symlinks,hardlinks} (implemented in
  upstream by Kees as LSM).
- forwardported HARDEN_FIFO as /proc/sys/fs/protected_fifos (was missing
  in Kees' patch).
- added log spoofing protection.
- backported kref overflow protection configurable via
  /proc/sys/kernel/kref_overflow_action, a light version of
  PAX_REFCOUNT.
- backported a bugfix to RHEL's kernel, it ignored mount options on mount(2)
  for procfs (was OK only on -o remount,...).
- implemented configure time sysfs umask and gid setting.
- wrote test programs for all ported security features.
- identified that gcc's stack protector doesn't work with Owl's old glibc.
- moved kernel modules to /lib/modules/2.6.32-xxx/ from /lib/modules/2.6.32/.
  Now it's possible to install several 2.6.32 kernels in a single system.

TODO
- set sysfs umask/gid for container by vzctl.
- implement PAX_USERCOPY.
- document everything.

Thanks,

-- 
Vasily

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ