-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 04/09/15 14:37, Marc Schiffbauer wrote:
> * philipp.amm...@posteo.de schrieb am 04.09.15 um 13:33 Uhr:
>> Am 03.09.2015 23:08 schrieb Marc Schiffbauer:
>>> True and what I wanted to say with the OTOH part. But doesn't
>>> this apply to any sponsor
alBox and with KVM
2013/7/15, Javier Juan Martínez Cabezón :
> Hi all
>
> I'm with this several months and I still without knowing if it was mistake
> from me while patching PaX with rsbac at hand or is a kernel bug, or it's
> from VirtualBox (the behaviour is horrible,
excuse me by errata is #include :S
2013/7/31 Javier Juan Martínez Cabezón
> To be able to compile rsbac kernel CONFIG_UIDGIT_STRICT_TYPE_CHECKS and
> CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch
> fixation patch in kernel 3.10 with PaX Patch to this
To be able to compile rsbac kernel CONFIG_UIDGIT_STRICT_TYPE_CHECKS and
CONFIG_USER_NS have to be disabled in kernel config. To apply PaX patch
fixation patch in kernel 3.10 with PaX Patch to this kernel, a
#include have to be included in mprotect.c
2013/7/29 Javier Juan Martínez Cabezón
2013/7/29 Javier Juan Martínez Cabezón
> Hi and thanks for your answer, in rsbac code in namei.c this code:
>
>
> rsbac_name = rsbac_symlink_redirect(dentry-
> >d_inode, link, buflen);
>
> assigns to rsbac_name the result of rsbac_symlink_redirect()
>
> the p
patch should stay equal towards (if switched correct PaX
patch and rsbac patch it only rejects in this four positions and always the
same ones, so fixation patch should work for another versions too..
Thanks a lot pageexec.
2013/7/29 PaX Team
> On 29 Jul 2013 at 6:23, Javier Juan Martín
Hi folks, I have made another rsbac fixation patch to rsbac kernel 3.8
http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-3.8.y.git;a=summary
and with PaX 3.8.13
http://grsecurity.net/test/pax-linux-3.8.13-test24.patch
I'm not sure if the stuff related with namei.c file is correct
#ifdef CONFI
x with KVM and segfaults in both.
I
2013/7/16 Jens Kasten
> Hi,
>
> first which rsbac version you are using.
> Appears this bug also when you try the rsbac-sources without pax?
>
> Jens
>
> Am 2013-07-15 03:07, schrieb Javier Juan Martínez Cabezón:
>
> I
m/mprotect.c linux-3.4.1/mm/mprotect.c
--- linuxnopax-3.4.1/mm/mprotect.c 2012-12-03 17:36:16.0 +0100
+++ linux-3.4.1/mm/mprotect.c 2012-08-29 21:51:37.0 +0200
@@ -28,7 +28,11 @@
#include
#include
#include
-
+#ifdef CONFIG_PAX_MPROTECT
+#include
+#include
+#endif
+#inclu
RITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_XOR_BLOCKS=y
CONFIG_ASYNC_CORE=y
CONFIG_ASYNC_MEMCPY=y
CONFIG_ASYNC_XOR=y
CONFIG_ASYNC_PQ=y
CONFIG_ASYNC_RAID6_RECOV=y
CONFIG_CRYPTO=y
#
2013/7/15 Javier Juan Martínez Cabezón
>
> Hi all
>
> I'm with this several months and I still without know
Hi all
I'm with this several months and I still without knowing if it was mistake
from me while patching PaX with rsbac at hand or is a kernel bug, or it's
from VirtualBox (the behaviour is horrible, sorry):
After the bug hits system guest gets unusable, hard reset is required,
every command exe
On 26/03/13 16:45, Javier Juan Martínez Cabezón wrote:
> On 26/03/13 16:11, "Tóth Attila" wrote:
>
>>
>> I wonder how these ROP techniques can theoretically perform in a
>> java virtual machine? What are the possbile target vectors for
>> Python or Ruby? Wh
On 26/03/13 16:11, "Tóth Attila" wrote:
>
> I wonder how these ROP techniques can theoretically perform in a
> java virtual machine? What are the possbile target vectors for
> Python or Ruby? What about JIT code?
http://www.grant-olson.net/python/pyasm
PIE is used in hardened gentoo, If PIE can't protect you against this,
ssp at least could try to do it, this is the reason because
-fstack-protector-all and -D_FORTIFY_SOURCE=2 are needed, and at least
-fstack-protector-all is really extended in hardened gentoo.. as
another security layer. .
2013/
On 25/03/13 13:52, PaX Team wrote:
> On 25 Mar 2013 at 9:01, Kfir Lavi wrote:
>
>> Hi,
>> I'm looking for a way to reduce glibc code size.
>> It can be a way to make system smaller and minimize the impact
>> of attack vectors in glibc, as in return-to-libc attack.
>
> study this and draw your con
On 23/01/13 08:17, PaX Team wrote:
> On 22 Jan 2013 at 19:44, Grant wrote:
>
google-chrome suffers intermittent crashes on x86 unless I enable
softmode. Is there any other option to keep it running?
>>>
>>> can you get some details on the nature of crashes? any logs perhaps?
>>> if soft
On 03/12/12 17:58, Javier Juan Martínez Cabezón wrote:
>
> This is the patch.
>
> linuxnopax is kernel 3.4.1 with rsbac patch implemented and PaX broken
> when fail patching (excluded rejections and orig files), linux 3.4.1 is
> handheld solved rejections patched PaX and rs
, can you tell me your opinion? are there broken things?
On 01/12/12 21:37, Anthony G. Basile wrote:
> On 11/22/2012 12:49 PM, Javier Juan Martínez Cabezón wrote:
>>
>>
>> Hi all, I saw that in the last ebuild (3.4.1), PaX is in
>> UNIPATCH_EXCLUDE. What have you Planne
On 01/12/12 21:37, Anthony G. Basile wrote:
> On 11/22/2012 12:49 PM, Javier Juan Martínez Cabezón wrote:
>>
>>
>> Hi all, I saw that in the last ebuild (3.4.1), PaX is in
>> UNIPATCH_EXCLUDE. What have you Planned about this?.
>>
>> I also knew the existenc
Hi, just to say we have the mailing list archive broken:
http://archives.gentoo.org/gentoo-hardened/
Hi all, I saw that in the last ebuild (3.4.1), PaX is in
UNIPATCH_EXCLUDE. What have you Planned about this?.
I also knew the existence of a base rsbac_policy based hardened gentoo
subproject? is there anything written about it?
Thanks for all.
PD: klondike, if you check the logs from mail
Hi all, I saw that in the last ebuild (3.4.1), PaX is in
UNIPATCH_EXCLUDE. What have you Planned about this?.
I also knew the existence of a base rsbac_policy based hardened gentoo
subproject? is there anything written about it?
Thanks for all.
On 11/06/12 04:26, Jens Kasten wrote:
>
>
> Am 2012-06-08 22:32, schrieb Javier Juan Martínez Cabezón:
>> On 08/06/12 21:40, Kevin Chadwick wrote:
>>> On Fri, 8 Jun 2012 16:06:37 +0300
>>> Alex Efros wrote:
>>>
>>>> Actually, I see no reaso
On 08/06/12 21:40, Kevin Chadwick wrote:
> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too,
On 08/06/12 21:40, Kevin Chadwick wrote:
> On Fri, 8 Jun 2012 16:06:37 +0300
> Alex Efros wrote:
>
>> Actually, I see no reasons to NOT use hardened on desktops.
>
> Maybe many more would if there was an easy and quick to install and
> maintain compiled distro. More users more compatibility too,
On 08/06/12 13:15, Aaron W. Swenson wrote:
> On 06/08/2012 04:34 AM, Alex Efros wrote:
>> Hi!
>
>> On Fri, Jun 08, 2012 at 12:44:26AM -0700, Grant wrote:
>>> I started a discussion on gentoo-user about the fact that the
>>> hardened profile appears to only be for servers and not desktops.
>>> I th
On 08/06/12 17:35, Anthony G. Basile wrote:
>> Only critical bug is broken VMware/VirtualBox on amd64+hardened.
>
> This one is a moving target. Sometimes broken, times fixed. kvm is
> working very well of late.
Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
hardened host and
Systems compiled with -D_Fortify_source=2 are not vulnerable. If I'm not
wrong it's a format string vulnerability.
2012/1/31 RB
> Not sure how much testing anyone else has done (and it warrants more
> testing), but I just tested this on a rather out-of-date machine
> running hardened-sources-3.0
h a bit of luck they will finish working to Apple.
Microsoft or to... OpenBSD :-)
El 27 de enero de 2012 19:04, Javier Juan Martínez Cabezón <
tazok@gmail.com> escribió:
> Everything that is interesting for the boss is interesting for us (except
> the "howto torture un
Everything that is interesting for the boss is interesting for us (except
the "howto torture university students mechanisms teaching them microkernel
based OS" :P).
Which is not of interest is asking about opinions of closed source
microkernel based OS and the opinions of Theo de Raadt about if ac
Let's play your game as you keep mixing up contexts and you're the one
> making blanket statements not me and telling me you know what I know
> better than myself. I merely said that methods of breaking RBAC have
> been discussed and a kernel exploit is one of them.
>
> I haven't seen no methods in
pt is
trusted). I shall check it.
2011/12/14 Alex Efros :
> Hi!
>
> On Wed, Dec 14, 2011 at 04:27:45PM +0100, Javier Juan Martínez Cabezón wrote:
>> I told you, with a secure TPE (so scripts fully controlled) tell me
>> how to write one kernel exploit under bash without calling
> I suggest you do some more reading at grsecurity.net or even the
> OpenBSD mailing list. I haven't got time to hunt down the two references
> that stick in my mind but keep your ears open and you may realise one
> of the kernel exploits could/can/will do just that. Do you really
> believe it's im
> It is an extra security measure for defense in depth.
>
> It allows easy use and a better default widely understood and
> blanket setting that almost any user can understand and switch off and
> so is more likely (not very) to be applied across the board.
>
> It gives admins extra control.
>
A i
> You know you can. No perl binary, or chmod 750 or rbac as I had said.
> All exploits are bugs and it should be harder to escalate priviledges
> through perl than by introducing your own C.
Clear, making use intensive under openbsd as you said. With 750 even
with 700 root can stills using it, as
nd
/home/hisdir). This can only be controlled with an RBAC approach
nothing more.
And not is not a bug perl, is using perl to write exploits they are
different questions.
2011/12/12 Kevin Chadwick :
> On Mon, 12 Dec 2011 18:38:28 +0100
> Javier Juan Martínez Cabezón wrote:
>
>> N
2011/12/12 Kevin Chadwick
>
> On Mon, 12 Dec 2011 16:23:21 +0100
> Javier Juan Martínez Cabezón wrote:
>
>
>
> Actually I was talking about TPE in Linux not being potentially as
> effective as noexec.
>
>
> You still can't execve and I believe noexec on Linu
About this*:
> What for after the main install, password changes (I use scripts
> allowed via sudo for that and monitor mounts globally but the monitoring
> could be improved like grsecs offering), some programs require it during
> install but not many, none on my OpenBSD mail and web servers.
*
At least now (AFAIK) with KMS ioperm/iopl is not required, only propietary
drivers need them (and having them running is per se a security bug).
Since now with CONFIG_STRICT_DEVMEM enabled every process is unable to
access to any RAM memory (if not video one and even with CAP_SYS_RAWIO) I
think it
Well, as rsbac user I would tell you that the gentoo rsbac docs are not as
obsoleted as you could suppose, maybe some questions could be more complete
but as starting point is right. Global RC learning mode and CAP learning
mode has been implemented, other "minor changes" could be for example
disti
Maybe they are looking for a titular like this: gentoo hardened freaks owned
by L00$3R :-)
False sense of security is worse than _put here whateveryouwant_
2011/8/5 Matthew Finkel
> 2011/8/5 Javier Juan Martínez Cabezón
>
>> Don't click in the link is a fucking spammer a
exactly is the fourth time that this critter does this, with this dates: 26
may, 1 june, 26 july and the todays one.
El 5 de agosto de 2011 14:37, Javier Juan Martínez Cabezón <
tazok@gmail.com> escribió:
> Don't click in the link is a fucking spammer and maybe he could
Don't click in the link is a fucking spammer and maybe he could be trying to
exploit navigator vulnerabilities to get remote access.
Please Ban the mail sender ip, is the second time he did this..
2011/8/5 Corentin Delorme
> I only get a 404 error
>
>
> On Fri, Aug 5, 2011 at 1:53 PM, Jared Tho
This things usually happen when changes are put into the CFLAGS-CXXFLAGS
directly in make.conf instead of using the specs (profile), without
mprotect, pax does nothing, ASLR is not functional since is not needed an
return into libc to get an exploit working since PAGEEXEC/SEGMEXEC is
not usefu
Probably you could check if exists ssp related code in functions that hasn't
character arrays (AFAIK this is the difference between -fstack-protector
(doesn't protect them) and -fstack-protector-all). gdb could be your friend.
2010/7/1 Radoslaw Madej
> On Thursday 01 July 2010 09:16:17 you wrote
Hi, I think it's a bad day to make comparisons with hardened gentoo.
Hardened gentoo traditionally doesn't use only -fstack-protector as
ubuntu does and some others, it use -fstack-protector-all in
everywhere it could. It's an important difference. I think that the
actually ssp bug in the last ver
AFAIK FORTIFY_SOURCE only works in fixed size buffers. To me ssp is a more
complete (and slightly different) approach, while FORTIFY_SOURCE checks the
existence of a buffer overflow directly, ssp does it by checking the
modification of the canary (indirect approach) but could get applied with
any k
I get realized of this question at the bad way, after seeing that the
binaries didn't have the canary inside. After that I compiled the system
with ssp in the unclean way, -fstack-protector-all in CFLAGS and CXXFLAGS in
make.conf with the exception of glibc that works only with
-fstack-protector. I
PD: Or probably in the main kernel too
El día 13 de mayo de 2010 21:10,
> Maybe I'm wrong (to the boss, please correct me) but seems that the
> bug is in the perl fastcgi script.
Why do you think is a PaX bug? It seems that PaX REFCOUNT is doing his
homeworks.
Maybe I'm wrong (to the boss, please correct me) but seems that the
bug is in the perl fastcgi script.
The wrong fix to this is disabling PaX_REFCOUNT in your .config that
is nothing mode than disabling a security P
50 matches
Mail list logo
