[grsec] grsec patch for 2.6.15?

pageexec at freemail.hu pageexec at freemail.hu
Mon Jan 9 18:29:14 EST 2006


> Unfortunately 2.4.x doesn't support my hardware at all, so 2.4 is no 
> choice.
> 
> This attitude toward kernel security is very curious; if your assertion is 
> true than surely 2.6 is needing pax more than anything. So the choice to 
> deliberately skip supporting it is strange.
> 
> It's a tactic I might expect from microsoft or maybe theo de raadt, it's 
> suprising to see it here.

not sure what either entity has to do with this, but anyway...

i suggest you go to http://www.securityfocus.com/bid and look
for vendor:linux title:kernel in there. and that's only bugs
that became somehow public, it does not include stuff yet to
be discovered or deliberately/unintentionally not marked as
security related. so at least you can't contest the fact that
2.6 has been about the most bug ridden kernel series (not only
at its inception but throughout its lifetime). add to that its
volatile nature and you can maybe understand why properly
supporting it is neither a priority nor a possibility with
our resources.

as for what PaX can or cannot do for 2.6: given the nature of
kernel bugs in general, you can't expect much protection from
exploits, even with features like KERNEXEC there remain less
trivial but quite possible ways to abuse such bugs, so don't
think for a second that you're somehow safe from local kernel
exploits just because you use a PaX kernel. protecting the
kernel from itself is one of the hardest problems in security
and most people believe that it's an impossible job. they're
not exactly right with that as usual but it'll take time to
prove it ;-).



More information about the grsecurity mailing list