[rsbac] 2.4.12+ rsbac+freeswan+grsec

Bencsath Boldizsar boldi at mail2003.etl.hu
Wed Jun 18 02:15:38 MEST 2003 

http://boldi.hu/programs/rsbac/linux-2.4.21-fswan-grsec-rsbac.tgz

My linux 2.4.21 + grsecurity 1.9.10 + rsbac 1.2.1 + freeswan 2.0.0
patched source. (full freeswan directory included).

NOT TESTED well.

It seems to be o.k., but once I had a problem with vmware, after some
problems I've managed to get ps unworkable, load average went ^^^^, w or
ps caused not terminable processes,... of course this can be due to 2.4.21
or anything else, too...

Possible question:

In my 2.4.19 i had problems joining rsbac and grsec thus both wanted to
use entry.S for it's function symbol. Now there seems to be that grsec no
longer uses that part of the symbol table. Is it fully o.k.? (And if they
don't need it, why does rsbac need it? No- don't answer, I know it's
*magic*, so it's just a remark )



Amon:
Most problems from patching the kernel both rsbac and grsec is due to that
both want to patch the same area.
1. It would be nice to let the official kernel change the parts where
if (something) do_something; ->
if (something)
{
do_rsbac_something...
do_grsec_something...
}

occours, to have {} included in the official source. (more easy to path by
you and to join the patches)

The other thing is when both patches want to patch the same area. This can
be handled with an intermediate patch, example

This is a final joined patch release:

command_A
command_B

#if rsbac
...
#endif

#if grsec
...
#endif

command_C

of course the original kernel source is:

command_A
command_B
command_C


what if (someone) would make an interior kernel patch:

command_A
command_B

/*INSERT SECURITY _IDENTIFIER PATCH HERE
  _ID
  _ID (multiple lines for patch environment finding)...
  _ID
/*/

command_C


then a tagged-enabled-version of rsbac/grsec/else could patch this to:

command_A
command_B

#ifdef rsbac...
#endif...

/*INSERT SECURITY _IDENTIFIER PATCH HERE
  _ID
  _ID (multiple lines for patch environment finding)...
  _ID
/*/

command_C


... so the next patch would find the indentifiers again, and inserts their
code perfectly?

Of course it is also possible to insert this 'interior' state in the
kernel (kernel security initiatives or something), but if it does not
work, then this interior stuff could help joining multiple patches.


boldizsar

More information about the rsbac mailing list