Hi!
On Sat, Apr 14, 2018 at 12:33:55AM +, Ren Nyo wrote:
> I contacted minipli, and he said that unofficial grsecurity kernel is
> frozen. So we should not wait for him to port KPTI and Meltdown.
Looks like there is no progress so far. :(
Is there any other options how to get kernel newer th
Hi!
On Wed, Mar 28, 2018 at 06:06:00PM +0100, Robert Sharp wrote:
> Does anyone know of a good, post GRSecurity guide to reasonable security
> for the kernel? In the absence of anything else I will have to go back
> to the KSPP list and start removing stuff until I can get a stable kernel.
I'm
Hi!
On Sat, Sep 09, 2017 at 11:23:46AM +0200, "Tóth Attila" wrote:
> I don't use docker myself, but if we are speaking about
> CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP, it would
> be important to know what GID is specified in CONFIG_GRKERNSEC_PROC_GID?
It's 3 (group "sys").
Hi!
It looks like when connecting to existing docker container with `docker
exec` CONFIG_GRKERNSEC_PROC_USERGROUP (and probably
CONFIG_GRKERNSEC_PROC_USER too) hide processes started by `docker run`
from processes started by `docker exec` (all processes are running as
docker "root", docker daemon
Hi!
On Tue, Aug 15, 2017 at 10:39:30PM +0200, philipp.amm...@posteo.de wrote:
> You don't really need an ebuild. What I do is manually install
> sys-devel/bc and then:
...
> Whenever there is a new release simply run 'git pull'.
Ebuild is anyway useful - if it's not - then it let me control
Hi!
Quoting news item:
> As an alternative, for users happy keeping themselves on the stable
> 4.9 branch of the kernel minipli, another Grsec user, is forward
> porting the patches on [3].
>
> Strcat from Copperhead OS is making his own version of the patches
> forward ported to the latest versi
Hi!
On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.
Well, it's about a month now. I didn't replied earlier because others
already mentioned all g
Hi!
On Fri, May 12, 2017 at 09:10:43PM +0200, "Tóth Attila" wrote:
> Please take a look at on the reply of PaxTeam postend on the openwall
> mailing list:
> http://openwall.com/lists/kernel-hardening/2017/05/11/2
What's for? It's pointless. Only very few people are really interested
(i.e. not jus
Hi!
On Tue, May 02, 2017 at 09:58:18PM +0200, Daniel Cegiełka wrote:
> This means that any future solution will not be compatible with current
> PaX support.
It doesn't means that. That may happens, or not - if someone will bother
about compatibility, for example.
I also think it makes sense to
Hi!
On Sun, Apr 30, 2017 at 04:00:39PM +0300, Andrew Savchenko wrote:
> The only way to preserve this functionality in the long run is to
> port it to the mainline kernel. This will not be easy, most likely
> not everything will be accepted, some stuff will have to be
> reimplemented using another
Hi!
On Sun, Apr 30, 2017 at 01:55:16PM +0200, SK wrote:
> And it's not about money from what I've read, should read this if you
> want some more information :
If it's all just about credits, ego and personal conflict with LF - when
they the hell it affects everybody else? AFAIK Gentoo Hardened an
Hi!
On Sat, Apr 29, 2017 at 07:46:10PM +0300, Alex Efros wrote:
> Thanks! But isn't this mean you forbid all Linux distributions (including
> commercial ones like RedHat) to be GrSec/PaX subscribers (in case they
> like to spend some money for it)? I.e. this decision will ensure
Hi!
On Sat, Apr 29, 2017 at 03:46:54PM +0200, PaX Team wrote:
> > But at soon as their customers (say, some government org or large
> > company) will APPLY that patch to Linux kernel and try to DISTRIBUTE that
> > kernel on their computers
>
> there's no need to speculate on this, the FSF has alr
Hi!
On Sat, Apr 29, 2017 at 01:49:20PM +0200, Luis Ressel wrote:
> in case anyone hasn't read in on LWN yet, here's what I'm talking
> about: https://grsecurity.net/passing_the_baton.php
Sorry for OT, but is this legal? Or, more correct, is this will works?
Sure, they can sell their patch to Lin
Hi!
On Sat, Apr 29, 2017 at 01:49:20PM +0200, Luis Ressel wrote:
> I suppose we all just grudgingly switch over to gentoo-sources?
I wonder for how long time current kernel with grsec will be more safe and
protected against new exploits than up-to-date gentoo-sources…
Something new in security: a
Hi!
I'm using 4.8.17-hardened-r2, Core i7-2600K @ 4.5GHz, nvidia&virtualbox.
Because of nvidia-drivers I had to switch off CONFIG_PAX_RAP.
Because of virtualbox-modules I had to switch off CONFIG_PAX_RANDKSTACK
and CONFIG_PAX_MEMORY_UDEREF.
Because of both I can't use KERNEXEC method "or".
All ot
Hi!
On Sat, Sep 19, 2015 at 09:33:15PM +0200, PaX Team wrote:
> > > 1. enable ELFRELOCS in your kernel config (and keep MPROTECT enforced
> > >on all binaries)
> > Done. This works. I don't really like it, but let it be, at least for now.
> well, disabling MPROTECT is much worse, this way you
Hi!
On Sat, Sep 19, 2015 at 09:33:15PM +0200, PaX Team wrote:
> did you see only a single log per executable or two? i'm asking it
> because this method of runtime codegen would produce two messages
> (and the grsec log message is actually wrong as it's not a denial
> but rather the opposite, spen
Hi!
On Sat, Sep 19, 2015 at 05:50:20PM +0200, PaX Team wrote:
> so there're two things left to do:
> 1. enable ELFRELOCS in your kernel config (and keep MPROTECT enforced
>on all binaries)
Done. This works. I don't really like it, but let it be, at least for now.
At a glance only difference
Hi!
On Sat, Sep 19, 2015 at 04:14:17PM +0200, PaX Team wrote:
> 3e3ef95fd0351495d400147b994b1978
> /usr/lib64/opengl/nvidia/lib/libGLdispatch.so.0
This lib in 355.11 on my system have same MD5.
Looks like previous (352.41) nvidia-drivers doesn't have this lib.
> so try "readelf -edW /usr/lib64
Hi!
On Sat, Sep 19, 2015 at 02:06:45AM +0300, Alex Efros wrote:
> And it was able to work without is before I've updated nvidia-drivers, so
> maybe something is wrong with this nvidia-drivers version.
This issue also affect many other apps, for example:
$ xxkb
xxkb: error wh
Hi!
I've just updated from nvidia-drivers-352.30 to 355.11, and after reboot
pidgin failed to start:
pidgin: error while loading shared libraries:
/usr/lib64/libGLdispatch.so.0: cannot make segment writable for
relocation: Permission denied
and kernel log is:
kern.alert: grsec:
Hi!
On Thu, Aug 20, 2015 at 05:21:23PM +0200, "Tóth Attila" wrote:
> I see two similar bug reports, I suppose:
> https://bugs.gentoo.org/show_bug.cgi?id=558280
> is a duplicate... Am I right?
Yep. On form submit I've got mysql connection error from bugzilla and
reload page with re-sending POST.
Hi!
Subj happens on my 2 servers with different hardware, but both servers are
32-bit. So, be careful when upgrading to 4.1.4-hardened on 32-bit systems.
https://bugs.gentoo.org/show_bug.cgi?id=558282
--
WBR, Alex.
Hi!
On Fri, Feb 27, 2015 at 10:38:34AM -0600, Alex Brandt wrote:
> Somewhat sarcastic but actually true. I don't recommend running
> production applications inside of Gentoo based containers.
This makes sense for Gentoo, but my question was CC: to this list not as
off-topic, my host will be Har
Hi!
On Thu, Feb 26, 2015 at 11:35:34AM +0100, F. Alonso wrote:
> I agree with containers do not improve security.
I agree too, but my original question was about how to avoid LOWERING
security if we move ours apps/services into containers.
I didn't expect containers to really increase security (
Hi!
What is recommended way to update Docker containers with Gentoo?
I mean, each container is supposed to be small and unique, having
installed only packages needed for app which will run in this container.
So, with 100 different apps we may have 100 different containers with
Gentoo, each with c
Hi!
On Sat, Feb 21, 2015 at 12:45:57AM +1100, James Taylor wrote:
> Not sure if there is any preferred method for sending patches, but
> here's a second attempt with an attachment :)
I'm afraid any patches in maillist will be ignored, please use
https://bugs.gentoo.org/
--
Hi!
I wonder is something was changed in handling "grsec: denied RWX mprotect"?
Previously when I see this in kernel log it usually result in killing app
(and I've to run `paxctl-ng -m /that/app`), but now it looks like this
doesn't happens anymore. For example:
# eselect opengl list
Available Op
Hi!
I also can confirm workstation with GrSecurity+PaX (without RBAC/SeLinux)
are very ease to setup and works very well nowadays - all you need is
carefully set kernel options related to GrSecurity and PaX and rebuild all
system using hardened gcc.
Problematic software are nvidia-drivers (it wor
Hi!
On Wed, Aug 06, 2014 at 01:21:56PM +0400, Jason Zaman wrote:
> install-xattr-0.3 has all the fixes in it and is stable on most arches
> already. Portage 2.2.11 has the patch to use it too and is ~ still so
> you do not need to patch anything manually anymore.
>
> It has been working for me th
Hi!
On Thu, Jun 26, 2014 at 08:57:12AM -0400, Anthony G. Basile wrote:
> Thanks Alex, perfinion hit this bug and fixed it. Can you test with
> install-xattr-. I don't want to push out a minor bump just for one
> patch until we get more testing done.
Are you going to release this any time
Hi!
I've just tried to run one game which works several months ago and get
segfault with this message in kernel log:
2014-07-15_21:38:42.73335 kern.alert: grsec: denied marking stack executable as
requested by PT_GNU_STACK marking in
/mnt/storage/games/DungeonDefenders/UDKGame/Binaries/DungeonD
Hi!
On Tue, Jul 15, 2014 at 11:28:38AM -0400, Anthony G. Basile wrote:
> ./hardened-sources-3.14.12-r1.ebuild
I've tested this one for 30 minutes on amd64 workstation - everything
works fine and there was no significant differences in logs compared to
3.14.11-hardened-r1.
> ./hardened-sources-3.
Hi!
On Fri, Jul 11, 2014 at 09:00:35PM +0300, Balint Szente wrote:
> It is not always possible to reboot with the previous kernel. There are
Yeah, that's one more reason why user should decide is it better for him
to update on ~ARCH kernel or wait until it will be stabilized.
> This is not a rem
Hi!
On Fri, Jul 11, 2014 at 12:54:09PM -0400, Alex Xu wrote:
> > - Gentoo is usually slower than other distributions on this, which is sad
> gentoo also has fewer devs and less manpower than other distributions,
> full stop.
Sure, that's why I've said it's just "sad".
> > - Hardened kernels are
Hi!
On Fri, Jul 11, 2014 at 07:55:02AM -0400, Anthony G. Basile wrote:
> > Anyone bothers to stabilize 3.14.11-r1 anytime soon because of subj?
>
> Anyone = me. You can address these concerns to me personally as I am
> responsible. Bugs are best so we have a public record.
>
> I am aware of t
Hi!
Anyone bothers to stabilize 3.14.11-r1 anytime soon because of subj?
--
WBR, Alex.
Hi!
On Thu, Jun 26, 2014 at 08:57:12AM -0400, Anthony G. Basile wrote:
> Thanks Alex, perfinion hit this bug and fixed it. Can you test with
> install-xattr-. I don't want to push out a minor bump just for one
> patch until we get more testing done.
I've re-emerged all packages which use
Hi!
If fails on my package dev-inferno/inferno (take it from "powerman"
overlay or just view here
https://code.google.com/p/powerman-overlay/source/browse/dev-inferno/inferno/inferno-20140617.ebuild
Here is emerge output:
cc -m32 -o o.out styxtest.o
/var/tmp/portage/dev-inferno/inferno-2014061
Hi!
Is it possible to use aufs3 with hardened?
Every time I try it aufs patch fails to apply on hardened kernel.
--
WBR, Alex.
Hi!
On Sun, Jun 08, 2014 at 07:41:51PM +0200, "Tóth Attila" wrote:
> Alex reported correct XATTR marking and incorrect PT marking. He also
> told, that he disabled PT support in his kernel config. He was affected by
> the issue, but it's not clear for me: whether disabling PT support in
> kernel s
Hi!
On Sun, Jun 08, 2014 at 10:31:58AM +0200, "Tóth Attila" wrote:
> > When running with a pax kernel, you must enable EMUTRAMP in your Kconfig
> > and you must paxmark your python exe's with E. Note: EMUTRAMP is on by
> > default and the ebuild automatically does the markings for you, so leave
>
Hi!
On Sat, Jun 07, 2014 at 11:48:53PM +0200, "Tóth Attila" wrote:
> > Some time ago I noticed this in kernel logs:
> > kern.alert: grsec: denied RWX mmap of by
> > /usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0
> > gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0
Hi!
Some time ago I noticed this in kernel logs:
kern.alert: grsec: denied RWX mmap of by
/usr/lib64/python-exec/python2.7/layman[layman:9717] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[sh:9695] uid/euid:0/0 gid/egid:0/0
Looks like it doesn't break layman, but I still wonder why it
Hi!
Not sure is this a "bug", so I'll reply here: 3.14.5-r2 not compatible
with latest stable nvidia-drivers, but looks like it works with ~ 337.25.
So it may make sense to stabilise both at same time.
--
WBR, Alex.
Hi!
On Mon, Sep 09, 2013 at 05:26:57PM -0400, Anthony G. Basile wrote:
> You can use XT_PAX provided you're not running something like a
> tinderbox, ie doing massive amounts of ebuilds. The problem is that
> install is being wrapped by install.py. As a result every instance of
> install mean
Hi!
On Tue, Oct 01, 2013 at 09:21:00PM +0200, Hinnerk van Bruinehsen wrote:
> > I can test proprietary nvidia if someone provide me with modified ebuild
> > or patch or instructions what's to do.
> If you want to try, you could try the xorg-2.eclass from here:
I've tried both rebuilding only xorg
Hi!
On Tue, Oct 01, 2013 at 09:21:00PM +0200, Hinnerk van Bruinehsen wrote:
> If you want to try, you could try the xorg-2.eclass from here:
>
> https://github.com/N8Fear/hvb-overlay/blob/master/eclass/xorg-2.eclass
>
> either by temporarily overwriting the one from the portage tree or otherwise
Hi!
On Tue, Oct 01, 2013 at 04:35:29PM +0200, Hinnerk van Bruinehsen wrote:
> I've had no time to create a hardened environment on my only nvidia machine to
> test nouveau and nvidia (the proprietary one).
I can test proprietary nvidia if someone provide me with modified ebuild
or patch or instru
Hi!
On Sat, Sep 14, 2013 at 12:16:20AM +0400, Peter Volkov wrote:
> There are other use-cases where this warning is useless, like running
> virtualbox inside openvz container :) /usr/bin/VirtualBox binary is a
> shell script that you can easy modify to avoid this warning. That said I
> don't think
Hi!
Each time any of VirtualBox commands started it print this useless warning:
---cut---
libkmod: kmod_module_new_from_loaded: could not open /proc/modules: Permission
denied
Error: could not get list of modules: Permission denied
WARNING: The VirtualBox kernel modules are not loaded.
Hi!
On Wed, Sep 11, 2013 at 11:44:07PM +0300, Balint Szente wrote:
> So I disabled CONFIG_PAX_MPROTECT for the moment.
It's much better to `paxctl-ng -m /usr/bin/Xorg` instead. And probably few
other applications (mplayer, glxgears, etc.).
Also, you can install latest stable nvidia-drivers by s
Hi!
On Mon, Sep 09, 2013 at 05:26:57PM -0400, Anthony G. Basile wrote:
> install is being wrapped by install.py. As a result every instance of
> install mean invoking the python interpreter. With lots and lots of
> installs, this adds up to being very slow.
Why not just add a patch for `insta
Hi!
On Mon, Sep 09, 2013 at 09:30:56AM -0400, Michael Orlitzky wrote:
> That is, can I disable PT_PAX, enable XATTR_PAX, reboot, and run
> migrate-pax? Or might that cause problems?
You can migrate with just one reboot, but order of actions is different:
1. Build new kernel with PT_PAX disabled
Hi!
On Tue, Aug 06, 2013 at 12:58:12PM +0800, Pavel Labushev wrote:
> I wouldn't call such news good. KERNEXEC, especially on x86_64, plays a
> big role in protecting the kernel from both local and remote attacks.
> KVM doesn't require such arguable compromises (no pun intended).
True. But KVM un
Hi!
On Wed, Dec 26, 2012 at 02:04:34AM +0200, Alex Efros wrote:
> So, looks like until VMware/VirtualBox support will be fixed for amd64
> hardened, I can't do my work without maintaining second non-hardened
> kernel and rebooting between hardened and non-hardened kernels each ti
Hi!
On Mon, Jul 08, 2013 at 09:03:43AM -0400, Anthony G. Basile wrote:
> In your make.conf set PAX_MARKINGS="PT" in the former case or
> PAX_MARKINGS="XT". It is safe to set both: PAX_MARKINGS="PT XT"
What is default if it's not set? I didn't remember mentioning it in "PT to
XT migration howto"
Hi!
On Mon, Jul 08, 2013 at 01:34:07AM +0200, "Tóth Attila" wrote:
> I have a feeling some system settings are wrong. These things happen the
> same way on my laptop and the server.
I'm too sleepy now and may misunderstood your issue, but at glance:
1) don't enable both PT and XT in kernel, choos
Hi!
On Wed, Mar 20, 2013 at 05:24:09PM +0100, PaX Team wrote:
> > Anyway, I've tried 3.8.3, and see no difference at all on 32-bit system:
>
> which grsec is that? the last bits of the fix went in like 2 days ago only,
> i think gentoo's ebuild uses an older patch than that. best would be if you
Hi!
On Wed, Mar 20, 2013 at 10:15:16AM +0100, PaX Team wrote:
> > > https://bugs.gentoo.org/show_bug.cgi?id=462430
>
> next time add me to the bug if you expect an answer instead of spamming
> every possible forum.
Ok.
> nevertheless to reduce the pain i've fixed the gap accounting in that thes
Hi!
On Wed, Mar 20, 2013 at 09:25:07AM +0200, Alex Efros wrote:
> https://bugs.gentoo.org/show_bug.cgi?id=462430
>
> Any ideas which grsec/pax option may result in this (subj) behavior?
Looks like PAX_RANDMMAP is broken (or improved too much). If trivial tools
like tcpserver on 32-b
Hi!
https://bugs.gentoo.org/show_bug.cgi?id=462430
Any ideas which grsec/pax option may result in this (subj) behavior?
--
WBR, Alex.
Hi!
On Sat, Dec 22, 2012 at 12:13:26PM -0500, Anthony G. Basile wrote:
> The best way to get to know what its all about is to help me with the
> documentation. I'll upload it after discussion. Its at
>
> http://dev.gentoo.org/~blueness/zzz/pax-quickstart.xml
>
> It describes pretty much anyth
Hi!
On Sat, Dec 22, 2012 at 10:39:08AM -0500, Michael Orlitzky wrote:
> Use KVM, it works well enough. The libvirt and virt-manager stuff was
I've spend these days playing with it. I've converted Win7 64-bit from my
VMware and after fixing a lot of things here and there finally get it to work.
It
Hi!
On Mon, Dec 24, 2012 at 03:37:14AM +0100, Francisco Blas Izquierdo Riera
(klondike) wrote:
> El 24/12/12 03:16, Alex Efros escribió:
> > 2012-12-23_20:45:19.15938 kern.alert: grsec: From 75.101.174.3:
> > Segmentation fault occurred at 14e2 in /usr/sbin/apache2[apache2
Hi!
Please take a look at
http://serverfault.com/questions/460429/clone2-30-sec-delay-in-apache
I didn't think it may be related to hardened but I've just found this in
kernel logs:
2012-12-23_20:45:19.15938 kern.alert: grsec: From 75.101.174.3: Segmentation
fault occurred at 14e2 in /usr/s
Hi!
Ok, let's forget about VMware/VirtualBox, 3D acceleration, MacOSX…
I want all of this, but, hell, I can probably live without it.
Is there exists __ANY__ way to run at least Win7 on 64-bit hardened gentoo
with good enough speed for comfortable use (on fast enough modern system:
Core i7 @ 4.6
Hi!
On Wed, Dec 19, 2012 at 02:00:59PM -0500, 7v5w7go9ub0o wrote:
> Found this interesting:
New features are cool, but maybe someone finally will fix broken for year(s)
VMware/Virtualbox on hardened amd64? I think this is much more important.
Sorry for offtopic.
--
WBR,
Hi!
Is it possible to work around /proc/net restrictions to let conky access
network traffic stats without running `sudo conky` or disabling
CONFIG_GRKERNSEC_PROC_USER? Maybe using `setfacl` or something like that
to mark /usr/bin/conky allowed to access /proc/net?
--
WBR
Hi!
On Sun, Jun 10, 2012 at 04:59:27PM +0300, Alex Efros wrote:
> If anyone interested, I've fixed BFS patch for 3.2.11-hardened:
> http://powerman.name/download/kernel/3.2-hardened-sched-bfs-416.patch
Update for 3.4.2-hardened-r1:
http://powerman.name/download/kernel/3.4-hardened-sc
Hi!
On Wed, Jun 27, 2012 at 02:33:49AM +0200, Francisco Blas Izquierdo Riera
(klondike) wrote:
> > Correct me if I'm wrong, but enabling IPv6 mean needs in supporting two
> > different routing tables and two different firewalls.
> Different routing tables maybe but the firewall is still the same,
Hi!
On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
> > I'm alerting users so that you can make whatever changes you like to
> > ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
> > default ipv6 on all hardened profiles.
> I use ipv6 on all my servers (not that ever
Hi!
If anyone interested, I've fixed BFS patch for 3.2.11-hardened:
http://powerman.name/download/kernel/3.2-hardened-sched-bfs-416.patch
I've format it similar to original patch
http://ck.kolivas.org/patches/bfs/3.2.0/3.2-sched-bfs-416.patch
so they can be easily compared using vimdiff etc.
P.
Hi!
On Fri, Jun 08, 2012 at 11:35:28AM -0400, Anthony G. Basile wrote:
> > Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>
> This one is a moving target. Sometimes broken, times fixed. kvm is
> working very well of late.
KVM is able to run Win7 and MacOS with speed comparab
Hi!
On Fri, Jun 08, 2012 at 07:15:40AM -0400, Aaron W. Swenson wrote:
> >> I started a discussion on gentoo-user about the fact that the
> >> hardened profile appears to only be for servers and not desktops.
> >> I thought I'd check with you guys on this. Is that the case?
Actually, I see no rea
Hi!
On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
> I started a discussion on gentoo-user about the fact that the hardened
> profile appears to only be for servers and not desktops. I thought
> I'd check with you guys on this. Is that the case?
I'm using hardened on desktop in last ~6-
Hi!
I'm not sure is this right place to ask…
What is current status for filesystem's xattr, acl and caps?
I'm usually keep all of this disabled in kernel, because I don't use them
and wanna avoid needless complexity. But today consolekit (which I don't
use, but which is installed anyway as someo
Hi!
On Fri, May 18, 2012 at 02:56:06AM +, Pavel Labushev wrote:
> > Somebody should pull the brakes, please.
> My humble advise: try making your own custom scripts for runit, minit or
Actually, if you decide to go this way, you probably find packages from my
overlay 'powerman' is good startin
Hi!
On Fri, Feb 24, 2012 at 03:41:27PM +0200, PaX Team wrote:
> well, as i suggested it in bugzilla, i'd need to capture information about
> the crash (probably triple fault), and the best approach would be some nested
> virtualization setup. i have no idea how to do it easily (one way would be to
Hi!
On Wed, Feb 15, 2012 at 02:18:59PM +0200, pagee...@freemail.hu wrote:
> > I can't try gentoo-sources and hardened-sources with exactly same
> > vmware-modules, because of extra patches needed for vmware-modules to make
> > it compatible with hardened, and these patches incompatible with
> > n
Hi!
On Tue, Feb 14, 2012 at 12:39:04PM -0800, Grant wrote:
> Is there any way to fix this or should I look for a different browser?
Use firefox-bin. Or you have to compile it yourself?
--
WBR, Alex.
Hi!
I've just tried virtualbox-bin-4.1.8 on 3.2.2-hardened-r1 (with enabled
GRSEC and PAX) - it doesn't reset host, but refused to run as non-root,
and even as root it didn't work anyway: when I try to start new just
created guest it says 'some error happens, see logs' and do nothing. And
it logs
Hi!
I've just converted my system from x86 to amd64 (Core i7), and one of
things which become broken because of this is vmware. When I start any
guest my host immediately reset, and after booting I didn't see anything
in logs - neither in kernel nor in vmware's logs.
I've experimented with differ
Hi!
On Sat, Jan 28, 2012 at 03:33:51PM +0200, Alex Efros wrote:
> $ dumpcap
> dumpcap: Can't get list of interfaces: Can't open netlink socket 93:Protocol
> not supported
This one solved by enabling in kernel CONFIG_NF_CT_NETLINK.
Actually I think it needs CONFIG_NETFIL
Hi!
On Sat, Jan 28, 2012 at 03:16:28PM -0500, 7v5w7go9ub0o wrote:
> gcc. (I'm using vanilla because I'm also using nvidia drivers, which
> apparently need to be both compiled with a vanilla compiler, and need to
Actually I'm compiling nvidia-drivers with hardened gcc all of time.
But you'll need
Hi!
On Sat, Jan 28, 2012 at 03:23:58PM +0200, Alex Efros wrote:
> > i think it's GRKERNSEC_SYSFS_RESTRICT that could cause this, do you have it
> > enabled?
> Hmm. Sure. You think I shouldn't have it enabled?
Okay, I've disabled it: running wireshark as root proba
Hi!
On Sat, Jan 28, 2012 at 02:12:19PM +0200, pagee...@freemail.hu wrote:
> > $ dumpcap
> > dumpcap: Can't get list of interfaces: Can't open /sys/class/net:
> > Permission denied
>
> i think it's GRKERNSEC_SYSFS_RESTRICT that could cause this, do you have it
> enabled?
Hmm. Sure. You think I
Hi!
On Sat, Jan 28, 2012 at 01:02:40AM +0200, Alex Efros wrote:
> > can you generate a coredump and see what the backtrace shows?
>
> Actually I can't get core. :-/ Look:
>
> I've re-emerged wireshark using this:
>
> # CFLAGS="-march=prescott -O
Hi!
But… as far as I see, it was just _one_ attempt to access NULL pointer
because of very usual bug. The questions is, why is that triggered
CONFIG_GRKERNSEC_BRUTE? Isn't word "brute" suppose many similar incidents
happened in short period of time, not just one? As for me, killing all
user's proc
Hi!
On Sat, Jan 28, 2012 at 03:50:22AM +0200, Alex Efros wrote:
> #0 0xb749f152 in __readdir64 (dirp=0x0) at ../sysdeps/unix/readdir.c:45
> dp =
> saved_errno =
> #1 0xb759d7ea in scan_sys_class_net (devlistp=0xbfffe488,
> errbuf=0xbfffe4dc "
Hi!
On Sat, Jan 28, 2012 at 01:48:01AM +0200, pagee...@freemail.hu wrote:
> gosh i knew i'd forgot something:
btw, glibc with debug has merged :)
(gdb) run
Starting program: /usr/bin/dumpcap
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0xb
Hi!
On Sat, Jan 28, 2012 at 01:07:43AM +0200, pagee...@freemail.hu wrote:
> > Program received signal SIGSEGV, Segmentation fault.
> > 0xb75fd152 in readdir64 () from /lib/libc.so.6
> x/16i $pc
> x/16x $sp
>
> and based on the disasm i'll need more info later.
Program received signal SIGSEGV, Se
Hi!
I've re-emerged libpcap and run this:
$ gdb dumpcap --batch --quiet -ex 'run' -ex 'thread apply all bt full' -ex quit
What's next? Recompile glibc with same CFLAGS/FEATURES and try again?
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x
Hi!
On Sat, Jan 28, 2012 at 01:02:40AM +0200, Alex Efros wrote:
> Is this enough, or I can do more?
Ok, this one is better:
# paxctl -mr /usr/bin/dumpcap
$ gdb dumpcap
(gdb) run
Starting program: /usr/bin/dumpcap
[Thread debugging using libthread_db enabled]
Program received signal SIGS
Hi!
On Fri, Jan 27, 2012 at 10:40:43PM +0200, pagee...@freemail.hu wrote:
> > 2) When wireshark started by non-root user this option kill all my
> > processes (https://bugs.gentoo.org/show_bug.cgi?id=379369):
> can you generate a coredump and see what the backtrace shows?
Actually I can't ge
Hi!
On Fri, Jan 27, 2012 at 03:14:12PM -0600, Matthew Thode wrote:
> You should be using the virt profile.
Why? As far as I understand, virt profile is for guest OS, not host OS.
--
WBR, Alex.
Hi!
Two small notes related to security level defaults:
1) On my system vmware reboot host OS when starting guest OS if any one
(or both) of these are enabled:
CONFIG_PAX_KERNEXEC (enabled by default on workstation security level)
CONFIG_PAX_MEMORY_UDEREF
2) When wireshark started
Hi!
If you ever wonder how exactly differs predefined security levels, you'll
find this information here. :) I've compared them, plus I did some
benchmarking (Core2Duo E6600, 32bit OS, hardened-sources-3.1.5,
single-user mode, kernel compile with -j3 as average user+sys time in 3 tests).
This inf
Hi!
On Wed, Jan 04, 2012 at 11:12:23PM +0100, "Tóth Attila" wrote:
> On two systems I got the following messages while running revdep-rebuild.
> What should I do next?
...
> *** glibc detected *** sed: double free or corruption (!prev): 0x11770008 ***
I've seen that before few times (with differe
1 - 100 of 200 matches
Mail list logo
