Re: item for kernel meeting -- NX emulation
hello Kees, On Fri, 29 Oct 2010, Kees Cook wrote: Thanks for adding this to the agenda! I've added details about both AppArmor and the nx-emulation bits to the wiki page. Let me know if you've got any questions. Do you know if newly split out 32bit-mmap-exec-randomization has a chance in going upstream or has already been submitted? thanks -- maks -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101102150413.ga...@stro.at
Re: item for kernel meeting -- NX emulation
On Tue, Nov 02, 2010 at 04:04:13PM +0100, maximilian attems wrote: hello Kees, On Fri, 29 Oct 2010, Kees Cook wrote: Thanks for adding this to the agenda! I've added details about both AppArmor and the nx-emulation bits to the wiki page. Let me know if you've got any questions. Do you know if newly split out 32bit-mmap-exec-randomization has a chance in going upstream or has already been submitted? I would fight it going upstream as it has terrible entropy. I feel it only has value when combined with the nx-emu patch, which would have 0 entropy for the relocated executable regions if left as-is. The goal discussed on the Fedora kernel list was to somehow get rewrites of the existing upstream ASLR so that it could be used with the nx-emu patch and then the 32bit-mmap-exec-randomization could be eliminated. The feature 32bit-mmap-exec-randomization is trying to implement is ASCII armor (leading 0 byte on addresses), but it's greedy-fit method creates a nearly deterministic layout for each given ELF. So if a way to do ASCII armor with the upstream ASLR can be created, it can be dropped. There has been no progress on this, though. -Kees -- Kees Cook@debian.org -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101102154757.gj5...@outflux.net
item for kernel meeting -- NX emulation
hey, Kees poked me to see if Debian would consider including the NX emulation patch that Ubuntu and Fedora are currently shipping. I won't be able to make Paris this weekend, but I'd like to request that this get added to the agenda. Kees, can you provide a reference for the changes? [CC'ing the security team as well for possible feedback] -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101029135004.gb17...@dannf.org
Re: item for kernel meeting -- NX emulation
hello dann! On Fri, Oct 29, 2010 at 07:50:04AM -0600, dann frazier wrote: Kees poked me to see if Debian would consider including the NX emulation patch that Ubuntu and Fedora are currently shipping. I won't be able to make Paris this weekend, but I'd like to request that this get added to the agenda. Kees, can you provide a reference for the changes? [CC'ing the security team as well for possible feedback] items are to be found here, please just edit: http://wiki.debian.org/DebianKernel/Meetings thanks -- maks -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101029141313.ga32...@vostochny.stro.at
Re: item for kernel meeting -- NX emulation
On Fri, Oct 29, 2010 at 02:13:14PM +, maximilian attems wrote: hello dann! On Fri, Oct 29, 2010 at 07:50:04AM -0600, dann frazier wrote: Kees poked me to see if Debian would consider including the NX emulation patch that Ubuntu and Fedora are currently shipping. I won't be able to make Paris this weekend, but I'd like to request that this get added to the agenda. Kees, can you provide a reference for the changes? [CC'ing the security team as well for possible feedback] items are to be found here, please just edit: http://wiki.debian.org/DebianKernel/Meetings appended. -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101029144312.gc17...@dannf.org
Re: item for kernel meeting -- NX emulation
Hi, On Fri, Oct 29, 2010 at 08:43:12AM -0600, dann frazier wrote: On Fri, Oct 29, 2010 at 02:13:14PM +, maximilian attems wrote: On Fri, Oct 29, 2010 at 07:50:04AM -0600, dann frazier wrote: Kees poked me to see if Debian would consider including the NX emulation patch that Ubuntu and Fedora are currently shipping. I won't be able to make Paris this weekend, but I'd like to request that this get added to the agenda. Kees, can you provide a reference for the changes? [CC'ing the security team as well for possible feedback] items are to be found here, please just edit: http://wiki.debian.org/DebianKernel/Meetings appended. Thanks for adding this to the agenda! I've added details about both AppArmor and the nx-emulation bits to the wiki page. Let me know if you've got any questions. As far as AppArmor is concerned, I'll be uploading the userspace tools to experimental soon, since 2.6.36 is landing there now. Thanks, -Kees -- Kees Cook -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101029155057.gb5...@outflux.net
