[grsec] grsec patch for 2.6.15?
Dan Hollis
reg5423374856 at anime.net
Mon Jan 9 21:29:03 EST 2006
On Tue, 10 Jan 2006, pageexec at freemail.hu wrote:
>> Unfortunately 2.4.x doesn't support my hardware at all, so 2.4 is no
>> choice.
>> This attitude toward kernel security is very curious; if your assertion is
>> true than surely 2.6 is needing pax more than anything. So the choice to
>> deliberately skip supporting it is strange.
>> It's a tactic I might expect from microsoft or maybe theo de raadt, it's
>> suprising to see it here.
> not sure what either entity has to do with this, but anyway...
> i suggest you go to http://www.securityfocus.com/bid and look
> for vendor:linux title:kernel in there. and that's only bugs
> that became somehow public, it does not include stuff yet to
> be discovered or deliberately/unintentionally not marked as
> security related. so at least you can't contest the fact that
> 2.6 has been about the most bug ridden kernel series (not only
> at its inception but throughout its lifetime). add to that its
> volatile nature and you can maybe understand why properly
> supporting it is neither a priority nor a possibility with
> our resources.
that's nice. 2.4.x doesn't support my hardware at all. so it's completely
non option.
> as for what PaX can or cannot do for 2.6: given the nature of
> kernel bugs in general, you can't expect much protection from
> exploits, even with features like KERNEXEC there remain less
> trivial but quite possible ways to abuse such bugs, so don't
> think for a second that you're somehow safe from local kernel
> exploits just because you use a PaX kernel. protecting the
> kernel from itself is one of the hardest problems in security
> and most people believe that it's an impossible job. they're
> not exactly right with that as usual but it'll take time to
> prove it ;-).
i don't think i'm immune (whee, what a nice strawman!).
all pax (and grsec, etc) does is make such exploits harder. and it did at
least prevent all the exploits i tried. this doesn't mean exploits in the
future are impossible, just that they have more obstacles to get around in
order to get a root shell -- instead of the simple 0-obstacles they have
with stock kernels.
but it's beginning to look like i will have to go to openbsd to get
modern hardware support and pax(-like) features, since it pax won't
support 2.6.
-Dan
More information about the grsecurity
mailing list