Date: Wed, 8 Aug 2012 15:02:41 +0400 From: Vasily Kulikov <segoon@...nwall.com> To: owl-dev@...ts.openwall.com Subject: Re: segoon's report #15 Solar, On Wed, Aug 08, 2012 at 10:39 +0400, Solar Designer wrote: > > Priorities: > > - Discuss what PaX features we want to see in Owl kernel. > > - Discuss whether we need sysfs hardening and log spoofing protection in > > Owl kernel. > > - Port confirmed patches to Owl kernel after owl-dev discussions. > > Does this mean you're done with all other kernel hardening changes you > wanted to make this summer? > Going though the list at Owl wiki: Ported: BINFMT_ELF_AOUT (cleanup) HARDEN_STACK HARDEN_VM86 HARDEN_PROC HARDEN_RLIMIT_NPROC ASCII-Armor 32/64-bit restrictions in containers TODO: log spoofing protection SYSFS_RESTRICT PAX_USERCOPY PAX_REFCOUNT Etc.: HARDEN_SHM - the patch is backported into RHEL 6.3. RHEL 6.3 update is included into the latest 059.7 patch. I haven't rebased to 059.7 yet, but I'll do it before actual committing into Owl CVS. HARDEN_LINK and HARDEN_FIFO - Kees' version of these things are already merged into Linus' tree. I think we should wait a bit (week?) and after that pick the patch into Owl kernel (just to merge it with all bugfixed which are done this week). > When are we getting the kernel update to RHEL6'ish into Owl? The kernel itself looks ready for update. It needs only other packages' fixes, which I've already committed. > When are we updating glibc? I think we can do it just after kernel update. If you have something in mind why glibc update is needed before any kernel hardening patches porting, I can switch to glibc update. IIRC, I've done most of update work needed for buildworld ability, but haven't ported all Owl hardening patches from 2.3.6. Preparing all these patches might take some time from me, when I don't need your attention at all. -- Vasily
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.