Mailing List Archive: Gentoo: Hardened

hardened-sources-3.2.6 problems

Index | Next | Previous | View Threaded

atoth at atoth

Feb 24, 2012, 1:32 AM

Post #1 of 4 (548 views)
Permalink

hardened-sources-3.2.6 problems

I'm using grsecurity and I've experienced problems with
hardened-sources-3.2.6 recently. I compiled and installed the kernel the
day before.
It seems to me the kernel incorrectly detects the UID of processes, which
is painful for some daemons. That caused denials because of the RBAC
system. Booting hardened-sources-3.2.5 solves the problem.
I essentially experienced the problem in conjunction to the mail system. I
use Sendmail as an MTA and Dovecot for IMAP. The daemons couldn't perform
their tasks, because the kernel thought they try to do everything as root.
Even after change to another user (mail or dovecot). It seems the kernel
incorrectly recognized the change of the UID.
I suspect the problem is related to the security features of the kernel.
But I thought it would be good to inform the list about this.

Regards:
Dw.
--
dr TÃ³th Attila, RadiolÃ³gus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

pageexec at freemail

Feb 24, 2012, 4:36 AM

Post #2 of 4 (524 views)
Permalink

Re: hardened-sources-3.2.6 problems [In reply to]

On 24 Feb 2012 at 10:32, "Tóth Attila" wrote:
> Even after change to another user (mail or dovecot). It seems the kernel
> incorrectly recognized the change of the UID.

wasn't that already fixed with:

commit 4fd554e3a097b22c5049fcdc423897477deff5ef
Author: Brad Spengler <spender [at] grsecurity>
Date: Mon Feb 20 09:17:57 2012 -0500

Fix wrong logic on capability checks for switching roles, broke policies
Thanks to Richard Kojedzinszky for reporting

basile at opensource

Feb 25, 2012, 11:40 AM

Post #3 of 4 (523 views)
Permalink

Re: hardened-sources-3.2.6 problems [In reply to]

On 02/24/2012 07:36 AM, PaX Team wrote:
> On 24 Feb 2012 at 10:32, "Tóth Attila" wrote:
>> Even after change to another user (mail or dovecot). It seems the kernel
>> incorrectly recognized the change of the UID.
>
> wasn't that already fixed with:
>
> commit 4fd554e3a097b22c5049fcdc423897477deff5ef
> Author: Brad Spengler<spender [at] grsecurity>
> Date: Mon Feb 20 09:17:57 2012 -0500
>
> Fix wrong logic on capability checks for switching roles, broke policies
> Thanks to Richard Kojedzinszky for reporting
>

I'm testing 3.2.7 right now. I'll have it up soon.

@pipacs, I've had reports of 3.2.2-r1 kernels having problems booting.
idl0r gave me a bzImage which will not boot in qemu. Using the same
kernel config, 3.2.7 *will* boot. The problem occurs shortly after
decompression but before any early printk. Is this a known issue that
has been fixed or should I continue to try to isolate the problem? As I
said it seems to be gone in later kernels.

our hardened-sources-3.2.2-r1 = grsecurity-2.2.2-3.2.2-201201272014

the 3.2.7 which I will put up in a bit is the very latest which came out
today.

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197

pageexec at freemail

Feb 25, 2012, 12:18 PM

Post #4 of 4 (523 views)
Permalink

Re: hardened-sources-3.2.6 problems [In reply to]

On 25 Feb 2012 at 14:40, Anthony G. Basile wrote:

> @pipacs, I've had reports of 3.2.2-r1 kernels having problems booting.
> idl0r gave me a bzImage which will not boot in qemu. Using the same
> kernel config, 3.2.7 *will* boot. The problem occurs shortly after
> decompression but before any early printk. Is this a known issue that
> has been fixed or should I continue to try to isolate the problem? As I
> said it seems to be gone in later kernels.

hmm, i don't recall such issues but if you can get me a bzImage and vmlinux
i can take a look and tell you what it is.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads