Re: [gentoo-hardened] systemd sample rules for grsecurity

u use systemctl to set up the services you want on reboot otherwise you'll get pretty much no daemons/services running. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] gradm admin role issues

On 01/10/2014 04:32 AM, Alexander Tiurin wrote: Hi! I can't to use gradm admin role in more than one shell session. If I run new shell and enter gradm -a admin I receive "Invalid password". At the same time grsec logs is empty. Any ideas? What changed? -- Anthony G. Basile,

[gentoo-hardened] yet another alternative libc

eleng.git;a=tree;f=tools-musl [4] http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=tree -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA

Re: [gentoo-hardened] 3.13.0 keeps crashing on me

st you test the latest. Yesterday Brad pushed 3.13.1. Today he already pushed another 3.13.1 patchset. Let me know if either of those fix it otherwise, open a bug and we'll let upstream know. Ref [1] http://forums.grsecurity.net/viewtopic.php?f=3&t=3917 -- Anthony G. Basile, Ph.

Re: [gentoo-hardened] linux32 chroot issue

by trying this: for i in /proc/sys/kernel/grsecurity/chroot_* ; do echo 0 > $i done Also, can you give my your `df -a` so I can see what is mounted in the chroot. Run that from *outside* the chroot. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] linux32 chroot issue

p you. If you figure out what *is* different let us know. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Weird coincidental PAX crashes

pses so we have a record in bugzilla. Email just buries this info. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Weird coincidental PAX crashes

On 05/13/14 15:39, Joshua Kinard wrote: On 05/10/2014 09:43, Anthony G. Basile wrote: On 05/10/14 07:39, Michael Orlitzky wrote: On 05/10/2014 07:14 AM, Joshua Kinard wrote: I think I ran into this, too, in 3.11. It takes a few days of uptime before it happens. Running 3.13.x now on my x64

[gentoo-hardened] hardened-sources wrt CVE-2014-3153 and CVE-2014-0196

And you complain via bugs so that when my spider senses suggest its time for a new kernel, i look through the bugs and see which one is "good enough". -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] hardened-sources wrt CVE-2014-3153 and CVE-2014-0196

On 06/07/14 17:51, "Tóth Attila" wrote: 2014.Június 7.(Szo) 15:07 időpontban Anthony G. Basile ezt írta: This is one of those rare situations where there are enough serious bugs against the kernel that we may have to rapid stabilize hardened-sources-3.2.59-r5 and 3.14.5-r2. These are

Re: [gentoo-hardened] denied RWX mmap by layman

ter job at getting this information out. mea culpa. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] denied RWX mmap by layman

On 06/08/14 04:31, "Tóth Attila" wrote: 2014.Június 8.(V) 02:55 időpontban Anthony G. Basile ezt írta: On 06/07/14 17:48, "Tóth Attila" wrote: 2014.Június 7.(Szo) 23:22 időpontban Alex Efros ezt írta: Some time ago I noticed this in kernel logs: kern.alert: grsec: de

Re: [gentoo-hardened] setting up pvgrub on a xen based vps

e a menu.lst. Can you use it as a model? -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] denied RWX mmap by layman

On 06/09/14 11:43, Michael Orlitzky wrote: On 06/07/2014 08:55 PM, Anthony G. Basile wrote: When running with a pax kernel, you must enable EMUTRAMP in your Kconfig and you must paxmark your python exe's with E. Note: EMUTRAMP is on by default and the ebuild automatically does the mar

Re: [gentoo-hardened] denied RWX mmap by layman

On 06/09/14 11:51, Jason Zaman wrote: On Mon, Jun 9, 2014 at 7:43 PM, Michael Orlitzky wrote: On 06/07/2014 08:55 PM, Anthony G. Basile wrote: When running with a pax kernel, you must enable EMUTRAMP in your Kconfig and you must paxmark your python exe's with E. Note: EMUTRAMP is

Re: [gentoo-hardened] XATTR_PAX migration wiki

d what was happening. Thanks for your work. I haven't fully understood why sometimes you need to add this and sometimes you don't --- kernel versions? Different arches? Nonetheless, you're right on this. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youv

Re: [gentoo-hardened] XATTR_PAX migration wiki

l markings off. Or you could just change the default behavior of mount to mount -o user_xattr and the user would then have to mount -o nouser_xattr to turn user.* off. Comments? -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

[gentoo-hardened] Help testing full end-to-end xattr support in portage

if you ever need to do a revdep-pax to migrate pax flags from a library to the executables that link against it. The disadvantage is that xattr support requires more work and so are more fragile. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage

switching to PAX_XATTR it took few minutes to compile and then about a hour or two to install because of that python-install-wrapper. So, please Please PLEASE release C wrapper ASAP! :) -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage

d to just doing XATTR_PAX markings. One step at a time ;) -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage

On 07/02/14 09:41, Luis Ressel wrote: On Sat, 28 Jun 2014 07:47:26 -0400 "Anthony G. Basile" wrote: There are two advantages to paxctl over paxctl-ng from elfix: 1) It doesn't depend on elfutils to do its manipulation of elf phdr's. 2) It does try to convert or create a

Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage

On 07/03/14 06:43, Anthony G. Basile wrote: On 07/02/14 09:41, Luis Ressel wrote: On Sat, 28 Jun 2014 07:47:26 -0400 "Anthony G. Basile" wrote: There are two advantages to paxctl over paxctl-ng from elfix: 1) It doesn't depend on elfutils to do its manipulation of elf phdr

Re: [gentoo-hardened] Help testing full end-to-end xattr support in portage

On 07/03/14 06:48, Anthony G. Basile wrote: On 07/03/14 06:43, Anthony G. Basile wrote: On 07/02/14 09:41, Luis Ressel wrote: On Sat, 28 Jun 2014 07:47:26 -0400 "Anthony G. Basile" wrote: There are two advantages to paxctl over paxctl-ng from elfix: 1) It doesn't depend on

Re: [gentoo-hardened] CVE-2014-4699

ke into account. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA

Re: [gentoo-hardened] CVE-2014-4699

any time unmask the newer kernel and use it if it fits better for you. There is no need to stabilize it blindly. Correct. Regards, Balint -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA

[gentoo-hardened] Help testing the latest hardened sources

want that fix in the next stable set so I'm going to accelerate their stabilization. Can you please test these and see if they work for you. I'll shoot for about 1 week. It has been frustrating of late balancing testing with new fixes. I need a new baseline. -- Anthony G. Basil

[gentoo-hardened] Latest stable hardened sources: 3.2.61-r2, 3.14.12-r2, 3.15.5-r2

r1, 3.14.12-r1, 3.15.5-r1, but keep the even older stables for people who are comfortable with them. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Problem with (?) hardened-sources-3.15.x on kvm-vm

: 64 cache_alignment : 64 address sizes : 40 bits physical, 48 bits virtual power management: We should be doing this in a bug report. I'll cc-pipacs. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Problem with (?) hardened-sources-3.15.x on kvm-vm

On 08/29/14 08:23, PaX Team wrote: On 29 Aug 2014 at 7:31, Anthony G. Basile wrote: On 08/29/14 03:32, Marcin Mirosław wrote: W dniu 29.08.2014 o 01:13, Alex Xu pisze: On 28/08/14 05:02 PM, Sven Vermeulen wrote: On Wed, Aug 27, 2014 at 05:34:20PM +0100, André Aparício wrote: I encountered

Re: [gentoo-hardened] GrSecurity: slow learning mode & incomplete policy

a proper bug reprot for this, but let me send this upstream now. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] Problem with usb-passthrough using libvirt with hardened-sources-3.15.8

etc. Some options are too strict for a virt environment. Having said that, though, if usb is the only thing not working, I suspect that maybe its some misconfiguration in the host/client Kconfigs for kvm not related to hardened. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'

Re: [gentoo-hardened] Re: nginx worker crashes, grsec denial

i and cffi, etc. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] gcc without fortran useflag and ekopath

don't want fortran so we have it off. It is not problematic. Just add it to your global use flags and recompile gcc. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] [PATCH] fix sys-process/cronie compilation under gentoo+musl

Open a bug report is probably the way to go with those. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more

ext3 user_xattr 0 1 Its automatic on ext4. `man mount` for more info. Please let me know if this works for you. Is that in the Pax_Quickstart? If not we should add it. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

[gentoo-hardened] missing the meeting

user.* --acls -xjpvf works to get us all the xattr goodies we need for hardened and gentoo in general. We should try to discuss 1 soon-ish before Cthulu awakens and madness reigns in gentoo. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more

On 12/19/14 01:51, James Taylor wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 2014/12/19 17:08, Karl-Johan Karlsson wrote: On Thu 18 Dec 2014 19.58.11 Anthony G. Basile wrote: On 12/13/14 18:52, Karl-Johan Karlsson wrote: So it works on ext4, but not ext3, even though both have

Re: [gentoo-hardened] missing the meeting

On 12/18/14 20:36, Matthew Thode wrote: On 12/18/2014 07:09 PM, Anthony G. Basile wrote: Hi fellow hardened devs: I'm sorry for missing the meeting but things came up and the day got hectic. It is an important meeting because we were to discuss: 1) what we want with toolchain.eclass -

Re: [gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more

easier to properly track bugs that way. You can always discuss bugs on the list (or anywhere you can catch me like IRC) but having the report in bugs.g.o leave behind a historical memory of what we did. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Bu

Re: [gentoo-hardened] [PATCH] sys-libs/pam: Fixed building under musl using patchset from Alpine Linux -- this time in an attachment

use https://bugs.gentoo.org/ Um, no they are not! There are lots of mailing lists which are specifically for patches. But since these are for musl, its best to email them to me directly: bluen...@gentoo.org. James, thanks for the patches. -- Anthony G. Basile, Ph. D. Chair of Information

Re: [gentoo-hardened] [PATCH] sys-libs/pam: Fixed building under musl using patchset from Alpine Linux -- this time in an attachment

On 02/23/15 07:25, Anthony G. Basile wrote: On 02/20/15 21:10, Alex Efros wrote: Hi! On Sat, Feb 21, 2015 at 12:45:57AM +1100, James Taylor wrote: Not sure if there is any preferred method for sending patches, but here's a second attempt with an attachment :) I'm afraid any

Re: [gentoo-hardened] heads up: hardened-sources-4.1.4 panic on boot

r from bugzilla and reload page with re-sending POST. It happens. Anyhow, can people please test 4.1.6. I'll rapid stabilize it but I don't want to trade one issue for another. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

Re: [gentoo-hardened] heads up: hardened-sources-4.1.4 panic on boot

On 8/22/15 4:31 AM, PaX Team wrote: On 21 Aug 2015 at 21:14, Anthony G. Basile wrote: Anyhow, can people please test 4.1.6. I'll rapid stabilize it but I don't want to trade one issue for another. is there some new issue on 4.1.6 that is not in 4.1.4 or is it just out of cauti

[gentoo-hardened] The state of grsecurity in gentoo

just happened, they'll come back to the table and talk with Grsec/PaX people. They won't be able to ship boards with grsec anymore because its not so easy to switch out a kernel on a board! If they ship a board with a bug, they loose. We just reboot :) [1] https://grsecurity.net/ --

Re: [gentoo-hardened] The state of grsecurity in gentoo

On 9/5/15 5:44 AM, Marc Schiffbauer wrote: * Anthony G. Basile schrieb am 02.09.15 um 18:13 Uhr: Hi everyone, So by now most people have heard the news that the Grsecurity/PaX team are no longer going to be making their stable patches available. The reason is that they are in dispute with a

[gentoo-hardened] Email list for Gentoo on Musl

is message wasn't too intrusive but hopefully this will direct discussion to where discussion belongs. -- Anthony G. Basile, Ph. D. Chair of Information Technology D'Youville College Buffalo, NY 14201 (716) 829-8197

[gentoo-hardened] Release 20151015 of hardened amd64 Gentoo desktop with musl.

kages which you can optionally install. This release was built using our hardened gcc-4.9.3 compiler while the previous was built using 4.8.5. For comparative study, I also release nearly identical systems built with glibc and uClibc. -- Anthony G. Basile, Ph. D. Chair of Information Techn

[gentoo-hardened] Re: hardened-sources-4.4.8-r1 mad COW patched?

r not be a backported patch you should ask blueness but my guess is > that there won't be one unless somebody provides such backported patch > to blueness. > > I'm CCing the Gentoo Hardened user list as other users may be able to > provide more and better input on this. > &g

[gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream

month and then send out a news item and later mask hardened-sources for removal. I don't recommend we remove any of the machinery from Gentoo that deals with PaX markings. I welcome feedback. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail: bluen...@gentoo.org G

<    1   2   3