[grsec] grsecurity 2.0.3-2.6.9 test release
spender at grsecurity.net
Mon Dec 20 22:16:30 EST 2004
I've placed a grsecurity 2.0.3 patch for Linux 2.6.9 at:
New patches will be uploaded if problems are reported with the current
patch. New patches will have the date and time represented in the
filename so it is easier to tell when a new patch is available.
If you've been reading changelogs recently or watching in #grsecurity on
irc.oftc.net, you've noticed I have been pretty busy working on
grsecurity 2.0.3. Among these changes in the upcoming 2.0.3 are:
* New configuration file for full learning: /etc/grsec/learn_config
From the documentation provided in the file:
#This configuration file aids the learning process by tweaking
#the learning algorithm for specific paths.
#It accepts lines in the form of <command> <pathname>
#Where <command> can be inherit-learn, no-learn, or inherit-no-learn.
#inherit-learn changes the learning process for the specified path
#by throwing all learned accesses for every binary executed by the
#processes contained in the pathname into the subject specified
#by the pathname. This is useful for cron in the case of full
#system learning, so that scripts that eventually end up executing
#mv or rm with privilege don't cause the root policy to grant
#that privilege to mv or rm in all cases.
#no-learn allows processes within the path to perform any operation
#that normal system usage would allow without restriction. If
#a process is generating a huge number of learning logs, it may be
#best to use this command on that process and configure its policy
#inherit-no-learn combines the above two cases, such that processes
#within the specified path will be able to perform any normal system
#operation without restriction as will any binaries executed by
I hope for the default learn_config to be applicable for any system so
that full learning can be used without any configuration. With this in
mind, if you have any applications that perform in similar ways to cron
scripts (executing lots of normal apps with privilege), let me know
about them, so they can be added to the configuration.
* Learning heuristics have been optimized to better detect temporary
file usage and reduce appropriately.
* Learning heuristics have been modified to weight against reducing
certain additional important directories.
* User/group ID transitions have been added to the learning system.
Any subject transitioning to less than 3 different users or 3
different groups that has CAP_SETUID or CAP_SETGID will have ID
transitions added. This is useful to automatically secure
applications that only transition to one or few users/groups like
* /proc/<pid>/* accesses are automatically rewritten as /proc by grlearn
before being cached and written to disk
* The inherit-based learning usable through the learning configuration
file is usable through a regular policy as well simply by adding "i"
instead of "l" to a subject for learning.
* Inheritance is preserved whenever possible across uid/gid changes when
the role resulting from the uid/gid change is no different from that
before the change.
* A complete ~95-99% efficient LFU-hash hybrid caching system has been
added that greatly reduces the number of full object lookups by
caching the result. The cache essentially mimics the filesystem
around where applications are operating: nearly equivalent to having
an object for every file and directory on the system, but without the
wasted memory. The cache is invalidated on creates and deletes that
cause a change in policy (through policy re-creation) and on renames
of directories or symlinks.
* Memory usage for non-full learning has been significantly reduced and
all memory leaks have been plugged.
* Interactive performance of full-learning has improved by ~15% by
reducing the number of context switches caused by grlearn doing small
disk writes by using a write buffer (writing more once instead of
less 1000 times) and keeping track of log entry lengths for quicker
string matching. A signal handler was added to grlearn so that when
learning is stopped, the write buffer is flushed to disk.
* Kernel headers are no longer used for gradm
* Bugfixes for things mentioned on the list, etc
If you're going to use the 2.6.9 patch and want to use the RBAC system,
you'll have to grab gradm2 from CVS. If you don't want to use 2.6 but
still want to try out the new features of 2.0.3, grab grsecurity2 from
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://grsecurity.net/pipermail/grsecurity/attachments/20041220/45264f9f/attachment.pgp
More information about the grsecurity