[grsec] grsecurity 2.0.2 released for Linux 2.4.28

[spender at grsecurity.net]

grsecurity 2.0.2 has been released for Linux 2.4.28. Changes in this 
release include:

    * PaX updates and addition of PaX code for MIPS, MIPS64, IA64, and 
AMD64
    * Chroot restrictions no longer allow zombie tasks to display in a 
process listing
    * Randomized PIDs optimization
    * PaX's RANDKSTACK feature is disabled in the high security setting 
if the CPU does not support it
    * Completely rewritten logging system that significantly reduces the 
.text size of the grsec-enabled kernel
    * CAP_FOWNER was removed from the set of capabilities disallowed in 
a chroot
    * The IP address tagging table was moved into the .bss, fixing a 
sparc32 booting problem
    * PaX ACL hook support was added and is automatically set to the 
"direct" method in the kernel configuration
    * Fixed sysctl compile error when grsec is disabled
    * Fixed RBAC bug with process protect flag
    * Fixed any future problems with kernel role in gradm
    * Solved memory problems with learning analysis: only one subject 
will be resident in memory at a time during full learning analysis
    * Caching was added to gradm that dramatically reduces run time of 
learning analysis


The largest changes in this release were the logging system rewrite and 
the learning analysis rewrite. Previously, all logging in grsecurity was 
done through a single, large macro, as this was easiest (and when the 
macro was first implemented, it was not very large and not called very 
often). Unfortunately, as grsecurity grew, the size of that macro 
increased as did the number of callers. This resulted in up to 500kb of 
.text being duplicated throughout the grsecurity code. By grouping the 
different types of logs and optimizing based on their similarities, I 
was able to create a variable argument logging function to replace the 
previous macro, resulting in cache improvements and a significantly 
smaller kernel .text.

One of the most common problems with the gradm learning analysis was 
that large logs caused OOM errors. This was due to unnecessary 
allocations, memory leaks, and a problem with the design that required 
that all logs be analyzed and reduced, then written out to disk all at 
once. I've eliminated the memory leaks, removed the unnecessary 
allocations, and modified the system so that after a new subject is 
reduced, the generated policy is written out and all allocations for 
that subject are freed. This part comes at the additional time cost of 
multiple passes through the log file, however.

To speed up the parsing of the log files, I implemented caching for the 
routines that insert parsed filenames into filename graphs. This reduced 
CPU time for the most used function by about 1000%, as the function has 
a high time complexity.

Grsecurity 2.0.3 will include further speed improvements and will 
contain a configuration file for learning that will allow you to ignore 
learning on certain processes, perform an inherit-based learning on 
certain processes, set the cache size of the grlearn daemon, etc.

Grsecurity 2.0.2 will be released for the 2.6 series of kernels when a 
PaX port is complete for the latest 2.6 kernel. As the 2.6 series of 
kernels are mimicking more of a development series than a stable series, 
the 2.4 series of kernels are recommended at this time.

Also, please see the note regarding sponsors on the news page.

Thanks for your support of grsecurity, and enjoy.

-Brad