Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Aug 2012 22:22:18 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: segoon's report #16

Vasily,

On Sun, Aug 12, 2012 at 10:16:20PM +0400, Vasily Kulikov wrote:
> Accomplishments:
> - rebased Owl patch to RHEL 6.3'ish kernel, which now includes HARDEN_SHM.
> - backported from upstream protected_{symlinks,hardlinks} (implemented in
>   upstream by Kees as LSM).
> - forwardported HARDEN_FIFO as /proc/sys/fs/protected_fifos (was missing
>   in Kees' patch).
> - added log spoofing protection.
> - backported kref overflow protection configurable via
>   /proc/sys/kernel/kref_overflow_action, a light version of
>   PAX_REFCOUNT.
> - backported a bugfix to RHEL's kernel, it ignored mount options on mount(2)
>   for procfs (was OK only on -o remount,...).
> - implemented configure time sysfs umask and gid setting.
> - wrote test programs for all ported security features.
> - identified that gcc's stack protector doesn't work with Owl's old glibc.
> - moved kernel modules to /lib/modules/2.6.32-xxx/ from /lib/modules/2.6.32/.
>   Now it's possible to install several 2.6.32 kernels in a single system.

This is very nice.  Where's the updated patch?  Can you post it in here
for now?

> TODO
> - set sysfs umask/gid for container by vzctl.

Is this needed, and why?
Do we have similar functionality for procfs or whatever?

> - implement PAX_USERCOPY.
> - document everything.

OK.

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ