Here is the output of the script with gcc 4.4.4-r1.
sh checksec.sh --file /bin/grep
RELRO STACK CANARY NXPIE FILE
Full RELRO Canary found NX enabledPIE enabled
/bin/grep
On Thu, Jul 1, 2010 at 19:12, Radoslaw Madej wrote:
> On Thurs
I am using 4.4.4-r1 from tree and have been for about a month. I thing
there is something in binutils holding it back but Zorry would know more.
This is on AMD64.
On Mon, Aug 9, 2010 at 17:47, Mike Williams wrote:
> Hey guys,
>
> I need to upgrade a bunch of packages shortly, which means takin
Most stuff is done directly in tree now. I had to remove the
hardened-dev overlay to get the right GCC. This is all for plain
hardened though.
Matthew Thode
On 09/02/10 06:26, "Tóth Attila" wrote:
> I do not really see gcc-4.4.4-r2. I only aware of gcc-4.4.4-r1. I'm usin
Disable kernexec and uderef on host for both AMD and Intel.
You can enable kernexec and uderef on AMD guests.
You can enable kernexec but not uderef on Intel guests.
The intel processors tested were the core2duo, i3 and i7.
-- prometheanfire
signature.asc
Description: OpenPGP digital signature
I had this issue with vanilla 2.6.32.27 patched with the 2.6.32.27 grsec
patch (2-3 days ago).
On Thu, Jan 13, 2011 at 14:38, "Tóth Attila" wrote:
> Compiling the recent hardened-sources results in the following error
> message, when irda is enabled:
>
> CC net/irda/af_irda.o
> net/irda/af
Spender said he just fixed that VERY recently.
On Thu, Jan 13, 2011 at 15:10, Matthew Thode wrote:
> I had this issue with vanilla 2.6.32.27 patched with the 2.6.32.27 grsec
> patch (2-3 days ago).
>
>
> On Thu, Jan 13, 2011 at 14:38, "Tóth Attila" wrote:
>
>
I can also verify that I used ipv6 to get the cert with he.net (with them as
the tunnel broker) for whatever that's worth.
-- Matthew Thode
On Tue, Feb 15, 2011 at 07:17, Tom Hendrikx wrote:
> On 15/02/11 12:53, Ed W wrote:
> >
> >>> Tests done by a colleague show t
I run full dual stacked on my network at home just fine, ip6tables and
filtering at the gateway work for me. As far as IPV6 specific
vulnerabilities, I think that would be the price to pay (if we decide to go
down this route).
-- Matthew Thode
On Tue, Feb 15, 2011 at 10:52, Alex Efros wrote
>From what I can tell here, pic is nearly built in to amd64. It should
be used by default on amd64 and I think it has to be explicitly
disabled (ffmpeg). So, you can run -pic on all amd64 and get nearly
the same result as +pic on amd64.
-- Prometheanfire
On Mon, Feb 28, 2011 at 15:39, Daniel Re
I run no-multilib and can offer to test postgres standalone for you.
But given that I run no-multilib I do not know if I can help until
that bug is fixed.
-- Matthew Thode
On Thu, Mar 17, 2011 at 17:33, Sven Vermeulen wrote:
> On Thu, Mar 17, 2011 at 01:14:02PM -0400, Anthony G. Basile wr
On Mon, 06 Jun 2011 16:38:06 -0400
Michael Orlitzky wrote:
> On 06/06/2011 03:54 PM, Sven Vermeulen wrote:
> >
> > The last one now is of 20110602, which is fairly recent.
> >
> > The autobuilds are not always created successfully. Updates on
> > compilers or other toolchain changes might affec
sendmail_exec_t:file execute;
-- Matthew Thode
/sbin/rc-update" dev=vda3 ino=7033
scontext=system_u:system_r:puppet_t
tcontext=system_u:object_r:initrc_notrans_exec_t tclass=file
I don't see selinux-puppet-2.20101213-r1 in the overlay.
-- Matthew Thode
On 7/11/11 7:17 AM, "Sven Vermeulen" wrote:
>On Sun, Jul 10, 2
sed by GRKERNSEC_KMEM, not /dev noexec, and is apparently harmless
> (however, I use v86d[x86emu], so YMMV).
>
Is there a bug open for this?
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
pointer dereference"
> in i915_gem_execbuffer_reserve when starting X.
>
> I'll submit a bug shortly.
>
must be why I never hit it (I enable kernexec but leave uderef disabled
for virt).
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
very well of late.
>
> Uh!, even with kernexec, uderef, mprotect etc etc etc, with both
> hardened host and guests?, and without the horrible slowness?
>
> If this is true maybe I would be one of the happiest folk of the world...
>
I run Hardened host/guest with only ude
dened on all my systems (desktop/laptop and server).
worksforme
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
s). We will have to
enable it eventually, sooner is probably better then later I think.
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
On 06/25/2012 09:37 AM, Sven Vermeulen wrote:
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>> I use ipv6 on all my servers (not that everyone does). We will have to
>> enable it eventually, sooner is probably better then later I think.
>
> It's a de
On 06/25/2012 10:03 PM, Alex Efros wrote:
> Hi!
>
> On Mon, Jun 25, 2012 at 08:58:49AM -0500, Matthew Thode wrote:
>>> I'm alerting users so that you can make whatever changes you like to
>>> ipv6 in your /etc/make.conf. In about 24 hours I will turn on by
ns before I ask infrastructure to
> synchronize it with the mirrors to allow users to test it out as well.
>
> The compressed image is about 157Mbyte and expands to about 1.4 Gbyte
> (qcow2 format).
>
> Wkr,
> Sven Vermeulen
>
>
What is the full command line yo
probably go with some hardware rng solution if you determine this to be
that much of a risk.
Since you can keep http connections open for long periods of time with
HTTP/1.1 that can also be used to help mitigate some exhaustion (rate
limit people). In fact, rate limiting in general is probably good.
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
ensource.dyc.edu/tinhat
> Downloads: http://opensource.dyc.edu/tinhat-downloads
>
I still want you to include TRESSOR support :D
http://en.wikipedia.org/wiki/TRESOR
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
lock open
> } ;
>allow user_t default_context_t : file { ioctl read getattr lock open } ;
>
Can you give us the command you were trying to run (for instance 'sudo
-r sysadm_r -t sysadm_t repoman manifest')
also, 'rlpkg -a -r' just in case (I know you said you did it, but do it
again anyway :D
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
rtualization was slow on grsec/pax with either uderef or
kernexec enabled. Pipacs overcame this limitation in 3.5.4-r1 and
overcame a memory commit issue kvm was having in 3.5.4-r2. He overcame
it using nested page tables on newer CPUs, which means older CPUs will
likely still be slow.
--
--
;
> So does r8 need a newer kernel or a newer setools package or what might
> be happening here?
>
> I have kernel 3.5.4-hardened-r1 and setools-3.3.7-r3 from the stable tree.
>
do you have CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX set in the
kernel to anything?
--
to see the information go away...
>
I don't think it should go away, just have a quickstart and a deepdive.
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
which use Windows as host OS; etc.
>
> I have no Windows license to test this, but as far as I found these
> drivers should be signed:
>
> https://alt.fedoraproject.org/pub/alt/virtio-win/latest/
>
> - Matthias-Christian
>
I've used fedora's virtio drivers with a windows8 before (windows 8.1
actually).
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
the faster you
> can develop documents a bit more easily than currently with GuideXML & CVS.
>
> Wkr,
> Sven Vermeulen
>
You should already have mine :P
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
the root of problem?
> (gcc is: gcc version 4.7.3 (Gentoo Hardened 4.7.3-r1 p1.4, pie-0.5.5) ,
> with ld.gold)
>
> Marcin
>
I'll test a 3.15.10-r1 kernel today sometime, anything I can do to
reproduce specifically?
--
-- Matthew Thode (prometheanfire)
before Cthulu awakens and madness
> reigns in gentoo.
>
regarding 1: a refactoring is in order probably, but what are the
specific complaints?
regarding 2: The thing we need to ask is if we want to ask users to run
that to extract stage3 tarballs, instead of -xf and the like.
--
-- Matthew Thode (prometheanfire)
On 12/19/2014 12:02 AM, Sven Vermeulen wrote:
>
> On Dec 19, 2014 2:38 AM, "Matthew Thode" <mailto:prometheanf...@gentoo.org>> wrote:
>>
>> On 12/18/2014 07:09 PM, Anthony G. Basile wrote:
>> > 2) what to do about tar and POSIX capabilities in the
bug, they loose. We just reboot :)
>>
>> [1] https://grsecurity.net/
>
> Can't Gentoo be a sponsor? I think we could easly croudfund a
> sponsorship.
>
> This would help Gentoo and Grsecurty/PaX but OTOH that vendor might just
> use the gentoo kernel if they not already did so.
>
> Thoughts?
>
We can't do that because it would make the LTS patches public, which
spender is trying to avoid.
--
-- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
33 matches
Mail list logo
