[rsbac] Re: Bugfixing the kernel uselib vulnerability
Murf
murf at post.cz
Wed Jan 19 10:45:37 CET 2005
Thomas Mueller wrote:
> Amon Ott wrote:
>
>>>> 2.6 kernels will need a few days to get going - it is much more work
>>
>>
>>>> because of all the rapid changes.
>>>
>>>
>>> Shouldn't the new -as patchset help a lot?
>>
>>
>> http://kerneltrap.org/node/4545
>>
>> Thank you, I noticed that. It might be better to the point than the ac
>> patches, but I have not had a closer look at it yet.
>
>
> All 50 patches in as2 applied cleanly (with some offsets) to
> http://rsbac.org/download/kernels/v1.2.3/linux-2.6.10-rsbac-v1.2.3-bf11.tar.bz2.
> The kernel works fine for 12 hours now.
>
>
> Thomas
Hello!
Yes, you are right, but it is without pax.
I see problem in patching with -as on top of rsbac+pax (2.6.10 kernel).
For example mmap.c is changes by pax and also by -as patches. The
changes are not trivial for example at correction rlimit memlock bug.
I'm a bit scare manually correct it, because man would have know what
is going on in mmap.c. Grsec security patches applyes on top of
rsbac+pax ok, because it counts with pax. But rlimit memlock bug
is solved different way if i look to the diffs. But this patch has
not solved all issues that is in -as patchset.
There are 4-5 -as patches that have rejects on source rsbac+pax.
Anybody tried to solve theese rejects?
In my oppinion, PAX is important component
helping to be more "secure" ;-).
Murf
More information about the rsbac
mailing list