On 04/13/2017 10:00 PM, Reg Tiangha wrote: > On 04/13/2017 09:33 PM, cooloutac wrote: >> On Thursday, April 13, 2017 at 11:26:07 PM UTC-4, cooloutac wrote: >>> So probably the kernels are not actually vulnerable, They fixed it a year >>> ago with patches, and with Qubes you assume this sort of priv escl thing >>> regardless which is why they don't even bother with sudo. >> Actually when it comes to redhat they claim the code was never there to >> exploit. But redhat might not apply to fedora kernel so I'm kind of curious >> myself now. >> > For those who are concerned, this is what is currently in the Qubes > repository for dom0: > > current: kernel-4.4.38, kernel-qubes-vm-4.4.38 > > current-testing: kernel-4.4.55, kernel-qubes-vm-4.4.55 > > > From what I can tell, the Qubes Kernel is built from the stock kernel > source, so if this bug was fixed months ago, you could probably install > either and be fine (assuming you're running R3.2). > > > If you're really paranoid, you can build the latest 4.4 kernel (as of > now, it's 4.4.61) yourself and install via rpm with very little > modification using the existing Qubes build scripts. > > Assuming you have a Fedora 23 VM with git, gcc and make installed (maybe > a few other things; I'm not sure), run: > > git clone https://github.com/QubesOS/qubes-linux-kernel.git > > - Switch to the 4.4 branch: > > git checkout stable-4.4 > > - Edit the 'version' file and replace 4.4.55 with 4.4.61 > > - Then compile: > > make rpms > > And then copy the kernel and kernel-qubes-vm rpms to dom0 and install > them there using rpm or dnf. > > I just did it myself with the 4.4 branch and it builds fine. I haven't > installed it though since I run 4.10 (which is a bit more involved since > some of the patches need to be migrated; I've been applying them by hand > using diff -Nuar so I just need to figure out how to create a patch file > *properly* that doesn't require manual intervention, and then I'll > probably throw up my work on GitHub so others can use it for both 4.9 > and 4.10; this GitHub stuff and figuring out how to patch things isn't > my forte yet). > > Actually, you'll need a few more things, most notably qubes-kernel-vm-support. I believe that package will pull in everything you need to compile a kernel for Qubes. If you're going to attempt to build a 4.9 kernel or higher, grab version 3.2.4 (install both in your build vm and dom0) out of current-testing since it hasn't been pushed into stable yet and 3.2.3 only works with kernels up to 4.8.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ocpkq8%24fr%241%40blaine.gmane.org. For more options, visit https://groups.google.com/d/optout.
