Monday, January 10, 2005

Hardened 2.6.10 kernel from Gentoo soon

Linux users fall into three basic groups when it comes to the kernel. First, there are those who just use what the distribution supplies. Second, there are those who chose or build their own patchset. And finally, there are vanilla users who just grab whatever from kernel.org and use that.

From a security standpoint, it is usually better to use a patchset, whether it be your distribution's default kernel or something elaborate like Con Kolivas' or Alan Cox' patchets, or your own rolled on top of those. Usually these patchsets contain numerous security fixes to vulnerabilities discovered after stable release; and with the 2.6 development model, waiting for the next release could always mean more potential bugs.

The Hardened Gentoo team supplies a kernel on Gentoo Linux known as hardened-dev-sources. With the upcoming PaX release and a new GrSecurity, h-d-s is finally moving up to 2.6.10. This brings several security fixes and enhancements.

The new h-d-s includes the 2.6.10-ac8 patch, which brings numerous hardware and security fixes to 2.6.10. This fixes a number of vulnerabilities, including several found by the GrSecurity and PaX developers. The random poolsize sysctl integer overflow, RLIMIT_MEMLOCK bypass DoS, and SCSI IOCTL integer overflow are all fixed, as well as many others.

Capabilities are flags assigned to programs that give administrative access to the system, such as CAP_SYS_BOOT (shutdown/reboot) and CAP_SYS_MODULE (load modules). Included in h-d-s are LSM capability fixes to a local root exploit and a patch to enforce common sense in kernel configuration. The first patch is a vulnerability fix, while the second prevents capabilities from being built as a module. All standard Linux systems use capabilities as a major control barrier.

Many programs with privileged (root) access drop capabilities when they're loaded to reduce the damage possible if they are hijacked. When the capability module is loaded, all running privileged programs are given all capabilities. Programs which would have dropped caps are now running with all privileges. This means that any init scripts and services started before the capabilities module is loaded may suffer privilege elevation relative to their normal running mode. For this reason, capabilities should be built in if they are going to be used.

A local DoS in the i810 DRM (CAN-2004-1056) code was also fixed in h-d-s, preventing users from crashing X and displaying odd things on the screen. Support for a.out binaries is also disabled by default; modern Linux distributions run a pure ELF system. And of course, h-d-s features GrSecurity.

The h-d-s kernel also features netdev-random, a patch to gather entropy from network interrupt timing. Network interrupts occur whenever the network card receives data. The path of a packet between a server and a client is often littered with routers interacting with other network requests, and can be affected by electromagnetic noise as well. It is fairly infeasible that network interrupt timing could be significantly manipulated externally, and so this should be a good alternate source of entropy for /dev/random.

Aside from that, various hardware fixes—especially for sparc—are in h-d-s, along with VM patches to make the OOM killer more friendly; IP connection tracking fixes; squashfs; and a fix to the Deadline I/O Scheduler. Overall, the upcoming h-d-s release for 2.6.10 looks to be well rounded. It will be released soon, so Gentoo users should keep an eye out.

2 Comments:

Blogger wow power leveling said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:50 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:14 AM  

Post a Comment

<< Home