[grsec] Upcoming sponsorship opportunity

Brad Spengler spender at grsecurity.net
Tue Jun 28 20:52:58 EDT 2011

Hi all,

I wanted to let you know about an opportunity within the next month or
two that you may be interested in.  Due to some unique real-life
events, in a month or two I'll have at least a month of mostly free
time.  I figured it'd be a good idea to put the downtime to good use:
knocking  out large items on my TODO list that I don't currently have
time to dedicate to in my free time apart from the normal maintenance,
development, and support of grsecurity.

If I can find some new sponsors at least for the stretch of my time off,
I'll tackle some things like:
Allowing /proc restrictions to be toggled via sysctl at runtime
More documentation
Container support for RBAC/chroot restrictions
 - there are some options here (for RBAC): making RBAC policies act as a
   global policy that applies to all containers, requiring per-namespace
   policies, or having a global RBAC policy that can be overriden
   by per-namespace policies (with some subset of privilege checks)
IPv6 support for RBAC socket policies
Runtime policy updates (adding of new roles, subject modification, etc
 without having to reload the entire policy)
Additional regex usage in RBAC learning, for tighter policies that
 abstract out version numbers for instance
Incorporate some concepts from Machine Learning to replace existing
 learning heuristics with (possibly, I'm still researching the best way
 to apply this) selection of a predicted access profile; the ultimate
 goal here is to eliminate locations where we unnecessarily merge
 read/write accesses while at the same time reducing these mixed
 accesses down to a single directory
Improving learn_config through an audit of learned policies with more
 services on various distros
Improve NFS support in RBAC learning
64bit inode support in the RBAC system

These are just some of the things in my TODO; whatever I work on will be
determined by sponsor requests.  Sponsors can also request items not on
my own list.

I'm also auctioning off a low-power (draws only 300 watts) 72-core MIPS
cluster to sponsor the work (with 10-20% going to charity depending on
the sale price).  You can find it here:

Also, just as a reminder, we have a blog at:
where we aim to present/explain new features and discuss other things
security-related.  You can subscribe to the RSS feed for new posts here:
If you've been using the latest patches you may have seen a new feature
with an interesting component called PAX_STACKLEAK.  I'm told there's a
post about it forthcoming.

There are also RSS feeds for the stable patches at:
and test patches at:
and changelogs available:

Please contact me directly if you have any questions or are interested
in this sponsorship opportunity.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://grsecurity.net/pipermail/grsecurity/attachments/20110628/f8ea76d5/attachment.pgp>

More information about the grsecurity mailing list