Grsecurity/ PaX Kernel - Anyone want to test?

Discussion in 'all things UNIX' started by Hungry Man, Dec 9, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It works with my Ubuntu 12.10 install with both the FGLRX and OSS ATI GPU Drivers.

    I want to just see how it is on other machines/ if I messed something up.

    edit: Going to work some issues out with it first, then set up a PPA instead. Easier that way.
     
    Last edited: Dec 10, 2012
  2. Umm. Is that signed? Do you have a public key? Not trying to be snarky here, but installing an unverified third-party package from someone's account on a file-sharing website strikes me as exceptionally bad security practice.

    (I know you've got a thing about how security shouldn't rely on the user, but in this case I think it kind of has to.)
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Signing it wouldn't do anything. I could sign malware easily. I could do the same thing with a signed PPA or anything else. I just chose not to use a PPA because it's a pain in the ass to set up.

    I can't really do much but tell you that I didn't do anything 'malicious' with it. Oh and I'll get a hash of it so you can verify it's the same file that I uploaded.

    sha1sum output:
    69283f7806ede892a6553ee216026181b7bc7720
     
    Last edited: Dec 9, 2012
  4. Signing it would at least give reasonable indication that it was in fact you who uploaded it, no?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    The signature would confirm that I myself uploaded it, I suppose. But a SHA hash confirms that the file I've uploaded is the one you've downloaded. I don't see how signing it adds anything, but I'll probably sign the next release anyways.
     
  6. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    The digital signature implies trust. And, by trust, it means that if something goes bad, they know who they will be beating up with a bat. :D In theory, anyway. :D

    So, never sign your stuff... :p
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Where is the source (GPL license demands the complete source even for build config changes) ?
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Weird. So if I change a config in the Linux kernel I have to upload the source? Despite it being entirely unchanged?

    I'll upload it later.

    edit: I'm just going to stop and do this through a PPA once I work out the kinks. It'll make this simpler in the end. Just not interested in dealing with it right now.
     
    Last edited: Dec 10, 2012
  9. Mman79

    Mman79 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    2,016
    Location:
    North America
    You're at Wilders, what kind of reaction were you expecting? :D But yeah, about the GPL, sucks but Rhodes is right.
     
  10. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I would think the only thing necessary to upload would be the config, which is the only modified part. Regardless, I'm taking the link down until I can fix a few things and set up a PPA, which I won't be doing today.
     
    Last edited: Dec 10, 2012
  11. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    No worries, I was not trying to be harsh, was actually thinking from a trust POV, having your config files could be useful.

    Cheers, Nick
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Definitely. Like I'd said in the blog post I was planning on uploading the config at some point but I considered that first kernel more of a test.
     
  13. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,414
    Can you upload it please? I'd like to test.
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I can have it, and the source, uploaded later today for the 7.1 kernel. It'll be a few hours before I get the chance to upload it.
     
    Last edited: Dec 19, 2012
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://www.putlocker.com/file/6E45A2F84D5BBAC7

    That includes the full source of the kernel as well as the compiled binary. Just extract it and install the .deb. Should be optimized with -msse2, assuming I added that to the makefile properly.

    That's a hash for the compressed file and the .deb. That should be more than enough to know that the file I uploaded is the file you've downloaded.

    You should be able to use chpax/paxctl (whichever is the current thing) to disable PaX features on a per program basis, let me know if it doesn't work.

    This is actually a somewhat stripped kernel. If you need file system support outside of EXT4 it probably isn't the best. Forgot that I had customized it for my system. Craaaaaaaaaaaap, I probably have to recompile. Let me know if it doesn't work. If it does I'll wait until 3.7.2 to recompile, at which time I'll include more support.
     
    Last edited: Dec 19, 2012
Loading...
Thread Status:
Not open for further replies.