Re: [Vserver] vserver and grsec
Rik Bobbaers schrieb:hey all,for those interested...i took a vanilla linux 2.6.14.4 kernelpatched it with an updated version of grsec 2.1.7and applied vserver 2.1.0 patch (including the sendfile patch and a optimisation for some weirdness in grsec)i put it all in a patch , which can be located at:http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff.gzhttp://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff1 thing... if you can't start your vservers and get the following error message:vcontext: vc_set_cflags(): Operation not permittedyou need to enable capabilities in chroots. you can do this with:echo 0 /proc/sys/kernel/grsecurity/chroot_caps(or the appropriate sysctl command ;))if people think it 's a good thing to merge the patches... just let me know, i'll see what i can do to keep this a little bit up to date.have fun all! Works like a charm :-) I don't use the PAX part, but no problems withvserver and proc_security/randomness features.Thanks a lot!Merry Xmas,Oliver In the last two weeks I was trying to run a grsec-vserver kernel, with no results: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me:incompatible gradm and grsecutity versions #Vserver and grsecurity compile options:# Linux VServer#CONFIG_VSERVER_LEGACY=y# CONFIG_VSERVER_LEGACY_VERSION is not setCONFIG_VSERVER_DYNAMIC_IDS=y# CONFIG_VSERVER_NGNET is not setCONFIG_VSERVER_COWBL=yCONFIG_VSERVER_PROC_SECURE=is not setCONFIG_VSERVER_HARDCPU=yCONFIG_VSERVER_HARDCPU_IDLE=y# CONFIG_INOXID_NONE is not set# CONFIG_INOXID_UID16 is not set# CONFIG_INOXID_GID16 is not setCONFIG_INOXID_UGID24=y# CONFIG_INOXID_INTERN is not set# CONFIG_INOXID_RUNTIME is not set# CONFIG_XID_TAG_NFSD is not setCONFIG_XID_PROPAGATE=yCONFIG_VSERVER_DEBUG=yCONFIG_VSERVER_HISTORY=yCONFIG_VSERVER_HISTORY_SIZE=64 ## Grsecurity#CONFIG_GRKERNSEC=y# CONFIG_GRKERNSEC_LOW is not set# CONFIG_GRKERNSEC_MEDIUM is not setCONFIG_GRKERNSEC_HIGH=y# CONFIG_GRKERNSEC_CUSTOM is not set## Address Space Protection#CONFIG_GRKERNSEC_KMEM=yCONFIG_GRKERNSEC_IO=yCONFIG_GRKERNSEC_PROC_MEMMAP=yCONFIG_GRKERNSEC_BRUTE=yCONFIG_GRKERNSEC_HIDESYM=y## Role Based Access Control Options#CONFIG_GRKERNSEC_ACL_HIDEKERN=yCONFIG_GRKERNSEC_ACL_MAXTRIES=3CONFIG_GRKERNSEC_ACL_TIMEOUT=30## Filesystem Protections#CONFIG_GRKERNSEC_PROC=yCONFIG_GRKERNSEC_PROC_USER=yCONFIG_GRKERNSEC_PROC_USERGROUP=yCONFIG_GRKERNSEC_PROC_GID=1001CONFIG_GRKERNSEC_PROC_ADD=yCONFIG_GRKERNSEC_LINK=yCONFIG_GRKERNSEC_FIFO=yCONFIG_GRKERNSEC_CHROOT=yCONFIG_GRKERNSEC_CHROOT_MOUNT=yCONFIG_GRKERNSEC_CHROOT_DOUBLE=is not setCONFIG_GRKERNSEC_CHROOT_PIVOT=yCONFIG_GRKERNSEC_CHROOT_CHDIR=is not setCONFIG_GRKERNSEC_CHROOT_CHMOD=yCONFIG_GRKERNSEC_CHROOT_FCHDIR=yCONFIG_GRKERNSEC_CHROOT_MKNOD=yCONFIG_GRKERNSEC_CHROOT_SHMAT=yCONFIG_GRKERNSEC_CHROOT_UNIX=yCONFIG_GRKERNSEC_CHROOT_FINDTASK=yCONFIG_GRKERNSEC_CHROOT_NICE=yCONFIG_GRKERNSEC_CHROOT_SYSCTL=yCONFIG_GRKERNSEC_CHROOT_CAPS=is not set## Kernel Auditing## CONFIG_GRKERNSEC_AUDIT_GROUP is not set# CONFIG_GRKERNSEC_EXECLOG is not setCONFIG_GRKERNSEC_RESLOG=y# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set# CONFIG_GRKERNSEC_AUDIT_CHDIR is not setCONFIG_GRKERNSEC_AUDIT_MOUNT=y# CONFIG_GRKERNSEC_AUDIT_IPC is not setCONFIG_GRKERNSEC_SIGNAL=yCONFIG_GRKERNSEC_FORKFAIL=yCONFIG_GRKERNSEC_TIME=yCONFIG_GRKERNSEC_PROC_IPADDR=y# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set## Executable Protections#CONFIG_GRKERNSEC_EXECVE=yCONFIG_GRKERNSEC_SHM=yCONFIG_GRKERNSEC_DMESG=yCONFIG_GRKERNSEC_RANDPID=y# CONFIG_GRKERNSEC_TPE is not set## Network Protections#CONFIG_GRKERNSEC_RANDNET=yCONFIG_GRKERNSEC_RANDSRC=y# CONFIG_GRKERNSEC_SOCKET is not set## Sysctl support#CONFIG_GRKERNSEC_SYSCTL=yCONFIG_GRKERNSEC_SYSCTL_ON=y## Logging Options#CONFIG_GRKERNSEC_FLOODTIME=10CONFIG_GRKERNSEC_FLOODBURST=4# CONFIG_KEYS is not set# CONFIG_SECURITY is not set ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver and grsec
On Wednesday 01 March 2006 14:04, Daniel Ortiz wrote: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match -p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me: incompatible gradm and grsecutity versions # hi there, you have to use the correct software for gradm to work... i never used gradm before myself, but i tried it on the latest patch... try the following patch: http://harry.ulyssis.org/vserver/patch-2.6.14.7-vs2.1.0-grsec2.1.9.diff.gz with this gradm: http://harry.ulyssis.org/vserver/gradm-2.1.9-200602141850.tar.gz that should work seemless (btw. this is a completely new patch, merged from scratch... as far as i know it works without any problems... so please test and let me know if there are any problems with it (which aren't there in the default vserver 2.1.0 patch off course... backporting the 2.1.1-rc9 has proven to be a bit too much work, so i fear, unstable)) so... upgrade all!!! :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver and grsec
Thanks for the quick answer Ok, i beggining the kernel compilation with your sugesteds patches and gradm any bug or problem i will notice.in this thread.. Sorry my english ...from Chile -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Rik Bobbaers Enviado el: Miércoles, 01 de Marzo de 2006 11:48 Para: vserver@list.linux-vserver.org Asunto: Re: [Vserver] vserver and grsec On Wednesday 01 March 2006 14:04, Daniel Ortiz wrote: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match -p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me: incompatible gradm and grsecutity versions # hi there, you have to use the correct software for gradm to work... i never used gradm before myself, but i tried it on the latest patch... try the following patch: http://harry.ulyssis.org/vserver/patch-2.6.14.7-vs2.1.0-grsec2.1.9.diff.gz with this gradm: http://harry.ulyssis.org/vserver/gradm-2.1.9-200602141850.tar.gz that should work seemless (btw. this is a completely new patch, merged from scratch... as far as i know it works without any problems... so please test and let me know if there are any problems with it (which aren't there in the default vserver 2.1.0 patch off course... backporting the 2.1.1-rc9 has proven to be a bit too much work, so i fear, unstable)) so... upgrade all!!! :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver __ NOD32 1.1422 (20060301) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
RE: [Vserver] vserver and grsec
The sugested -2.1.9-200602141850.tar.gz works no incompatibilty error begining the tests. bye. -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Daniel Ortiz Enviado el: Miércoles, 01 de Marzo de 2006 12:58 Para: vserver@list.linux-vserver.org Asunto: RE: [Vserver] vserver and grsec Thanks for the quick answer Ok, i beggining the kernel compilation with your sugesteds patches and gradm any bug or problem i will notice.in this thread.. Sorry my english ...from Chile -Mensaje original- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] En nombre de Rik Bobbaers Enviado el: Miércoles, 01 de Marzo de 2006 11:48 Para: vserver@list.linux-vserver.org Asunto: Re: [Vserver] vserver and grsec On Wednesday 01 March 2006 14:04, Daniel Ortiz wrote: I take the same kernel (2.6.14.4 kernel) and patch with patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff witch: match -p0 patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff PAX is disabled, when I try to run gradm 2.17 or gradm 2.18 the system says to me: incompatible gradm and grsecutity versions # hi there, you have to use the correct software for gradm to work... i never used gradm before myself, but i tried it on the latest patch... try the following patch: http://harry.ulyssis.org/vserver/patch-2.6.14.7-vs2.1.0-grsec2.1.9.diff.gz with this gradm: http://harry.ulyssis.org/vserver/gradm-2.1.9-200602141850.tar.gz that should work seemless (btw. this is a completely new patch, merged from scratch... as far as i know it works without any problems... so please test and let me know if there are any problems with it (which aren't there in the default vserver 2.1.0 patch off course... backporting the 2.1.1-rc9 has proven to be a bit too much work, so i fear, unstable)) so... upgrade all!!! :) -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Work hard and do your best, it'll make it easier for the rest -- Garfield Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver __ NOD32 1.1422 (20060301) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver __ NOD32 1.1422 (20060301) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] vserver and grsec
hey all, for those interested... i took a vanilla linux 2.6.14.4 kernel patched it with an updated version of grsec 2.1.7 and applied vserver 2.1.0 patch (including the sendfile patch and a optimisation for some weirdness in grsec) i put it all in a patch , which can be located at: http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff.gz http://harry.ulyssis.org/patch-2.6.14.4-vs2.1.0-grsec2.1.7.diff 1 thing... if you can't start your vservers and get the following error message: vcontext: vc_set_cflags(): Operation not permitted you need to enable capabilities in chroots. you can do this with: echo 0 /proc/sys/kernel/grsecurity/chroot_caps (or the appropriate sysctl command ;)) if people think it 's a good thing to merge the patches... just let me know, i'll see what i can do to keep this a little bit up to date. have fun all! -- harry aka Rik Bobbaers K.U.Leuven - LUDIT -=- Tel: +32 485 52 71 50 [EMAIL PROTECTED] -=- http://harry.ulyssis.org Disclaimer: By sending an email to ANY of my addresses you are agreeing that: 1. I am by definition, the intended recipient 2. All information in the email is mine to do with as I see fit and make such financial profit, political mileage, or good joke as it lends itself to. In particular, I may quote it on usenet. 3. I may take the contents as representing the views of your company. 4. This overrides any disclaimer or statement of confidentiality that may be included on your message. Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver