Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 29 Jul 2011 13:00:53 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: -ow features

Solar,

On Sat, Jul 23, 2011 at 20:27 +0400, Solar Designer wrote:
> Can you please post a summary on the status of -ow patch features as it
> relates to mainline acceptance of their equivalents?

Sorry for the delay, I didn't somehow noticed this email.


HARDEN_STACK*

The code similar to -ow patch is ready, but it doesn't handle DSO cases
of stack usage.  I've described the problem here:

http://www.openwall.com/lists/kernel-hardening/2011/07/18/8


HARDEN_VM86

The code similar to -ow patch is ready, but I don't know how it should
be implemented relative to LSM/seccomp/etc.  It looks like a small
feature, which is not consistent with current upstream security
architecture.  I've described the problem here:

http://www.openwall.com/lists/kernel-hardening/2011/06/19/2

Without the major change of the configuration mechanism it's impossible
to get it applied.


HARDEN_PAGE0

It is a part of Linux for many years.  Distros may setup their own
mmap_min_addr limit and the default is 64K.  So, I don't see what can be
improved here.


HARDEN_LINK
HARDEN_FIFO

These are implemented in YAMA LSM.  Kees Cook's last attempt (AFAIK) is:

http://marc.info/?l=linux-security-module&m=130023775422255&w=2

James Morris' reaction:

http://marc.info/?l=linux-security-module&m=130032319219333&w=2

So, the issue is that LSM guys say that LSM is the place where only
enhanced access control schemes may be located, but VFS folks
say that all similar non-POSIX restrictions should go into LSM as a
configurable security feature (extern relative to VFS).  This
inconsistency is really nasty :(


HARDEN_PROC

The patch as in -ow received negative response from Andrew Morton as too
limited:

http://www.openwall.com/lists/kernel-hardening/2011/06/21/3

I'm working on it.  The demonstration is:

http://www.openwall.com/lists/kernel-hardening/2011/07/26/5


HARDEN_NLIMIT_NPROC

The discussion:

http://www.openwall.com/lists/kernel-hardening/2011/06/12/9

The latest patch:

http://www.openwall.com/lists/kernel-hardening/2011/07/29/3

(It has already got a Reviewed-by from James, which is very good.)


HARDEN_SHM

The patch:

http://www.openwall.com/lists/kernel-hardening/2011/06/22/4

It was applied first to -mm tree, now it is merged into Linus' linux-2.6
tree (it will be part of Linux 3.1).


Special handling of fd 0,1,2 (Linux 2.0/2.2) for set*id

It is handled in glibc now by opening /dev/{null,full}, however, I see
(minor) drawbacks:

1) It's possible to have a chroot without polluted /dev/, so setuid
inside of chroot might fail to reopen fds.

2) It's not handled in other libc implementations.

Other than that, it already works.


Privileged IP aliases (Linux 2.0)

I think it was fully obsoleted with network namespaces.


Thanks,

-- 
Vasiliy

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.