[rsbac] Re: Bugfixing the kernel uselib vulnerability

Murf murf at post.cz
Wed Jan 19 10:45:37 CET 2005


Thomas Mueller wrote:
> Amon Ott wrote:
> 
>>>> 2.6 kernels will need a few days to get going - it is much more work 
>>
>>
>>>> because of all the rapid changes.
>>>
>>>
>>> Shouldn't the new -as patchset help a lot? 
>>
>>
>> http://kerneltrap.org/node/4545
>>
>> Thank you, I noticed that. It might be better to the point than the ac 
>> patches, but I have not had a closer look at it yet.
> 
> 
> All 50 patches in as2 applied cleanly (with some offsets) to 
> http://rsbac.org/download/kernels/v1.2.3/linux-2.6.10-rsbac-v1.2.3-bf11.tar.bz2. 
> The kernel works fine for 12 hours now.
> 
> 
> Thomas

Hello!

Yes, you are right, but it is without pax.

I see problem in patching with -as on top of rsbac+pax (2.6.10 kernel). 
For example mmap.c is changes by pax and also by -as patches. The 
changes are not trivial for example at correction rlimit memlock bug. 
I'm a bit scare manually correct it, because man would have know what
is going on in mmap.c. Grsec security patches applyes on top of 
rsbac+pax ok, because it counts with pax. But rlimit memlock bug
is solved different way if i look to the diffs. But this patch has
not solved all issues that is in -as patchset.

There are 4-5 -as patches that have rejects on source rsbac+pax.
Anybody tried to solve theese rejects?

In my oppinion, PAX is important component
helping to be more "secure" ;-).

Murf


More information about the rsbac mailing list