[grsec] grsecurity 2.1.11 released for Linux 2.4.36.2/2.6.24.4
John Logsdon
j.logsdon at quantex-research.com
Tue Apr 15 04:40:45 EDT 2008
Brad, PaX Team, everyone
Firstly the appreciation of all needs to be expressed for the continued
maintenance of grsec.
Secondly, given the continued release issues with the 2.6 kernel, I am sure
that all will understand the problem of supporting such a moving target.
However most Linux implementations offer either 2.6 as default or do not
offer 2.4 kernels anyway and there may be other issues which make it
necessary to use 2.6 in some cases.
You suggestion of moving to support only, say, the Ubuntu production kernels
only seems sensible. I would add in the RHEL (or Fedora) kernels if that
were possible. Most production implementations where protection is crucial
use or derive from these - particularly RHEL - so most installations will be
covered while keeping the task within manageable proportions.
Some sysadmins are understandably wary of using vanilla ie non-production
kernels so this may lead to a greater uptake of grsec if a grsec-enhanced
ready-rolled kernel is put up on appropriate repositories along side a
ready-patched kernel.
This might lead to collaboration - and support - from either of these
organisations and show them that there is a better alternative to the
standard offering of (dare I say it) SEL.
On Tuesday 15 April 2008 02:07:46 Brad Spengler wrote:
> A new stable version of grsecurity has been released for the 2.4.36.2
> and 2.6.24.4 versions of the Linux kernel. This release is a maintenance
> release (due to the work required in porting such a large patchset to
> each new 2.6 kernel as we have with the test patches), though we
> continue to welcome suggestions for additional features for grsecurity.
>
> Changes in this release include:
>
> * Many bugfixes, including fixes for RBAC auditing and RBAC policy
> recreation from renaming.
> * Relaxed restrictions for the 'd' subject flag in the RBAC system
> -- a task may now access its own /proc/<pid>/fd and mem entries.
> * Forced compiler errors on mistaken PaX configuration (such as
> enabling PAX_NOEXEC but not enabling SEGMEXEC nor PAGEEXEC).
> * Extended username limits in the RBAC system
> * Improved policy verification and base policy enforcement
> * Added support for new capabilities added in Linux 2.6
> * Updated default policy and learning configuration
> * Corrected policy support on files larger than 2gb prior to the
> RBAC system being enabled
> * An update to the latest version of PaX which includes numerous
> bugfixes
>
>
>
> Due to Linux kernel developers continuing to silently fix exploitable
> bugs (in particular, trivially exploitable NULL ptr dereference bugs
> continue to be fixed without any mention of their security implications)
> we continue to suggest that the 2.6 kernels be avoided if possible.
>
> It is not clear if the PaX Team will be able to continue supporting
> future versions of the 2.6 kernels, given their rapid rate of release
> and the incredible amount of work that goes into porting such a
> low-level enhancement to the kernel (especially now in view of the
> reworking of the i386/x86-64 trees). It may be necessary that grsecurity
> instead track the Ubuntu LTS kernel so that users can have a stable
> kernel with up-to-date security fixes. I will update this page when a
> final decision has been reached.
>
> In the meantime, please email pageexec at freemail.hu and let him know how
> much you appreciate the hard work he has put in for the past 8 years.
> The accomplishments of the PaX Team have extended far beyond just Linux,
> and have today found their way into all mainstream operating systems.
>
> Enjoy,
> -Brad
--
Best wishes
John
John Logsdon "Try to make things as simple
Quantex Research Ltd, Manchester UK as possible but not simpler"
j.logsdon at quantex-research.com a.einstein at relativity.org
+44(0)161 445 4951/G:+44(0)7717758675 www.quantex-research.com
More information about the grsecurity
mailing list