Switch to Gentoo sources
by Sven Vermeulen, post on Tue 22 August 2017You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.
That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.
Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).
Some things sound more scary than they are
by Sven Vermeulen, post on Thu 15 August 2013A few days ago I finally got to the next thing on my Want to do this year list: put a new android (Cyanogenmod) on my tablet, which was still running the stock Android - but hasn't seen any updates in more than a year. Considering the (in)security of Android …
And now, 31 days later...
by Sven Vermeulen, post on Thu 01 August 2013... the Gentoo Hardened team had its monthly online meeting again ;-)
On the agenda were the usual suspects, such as the toolchain. In this
category, Zorry mentioned that he has a fix for GCC 4.8.1 for the
hardenedno*
and vanilla gcc-config
options which will be added to
the tree …
Looking at the local Linux kernel privilege escalation
by Sven Vermeulen, post on Fri 17 May 2013There has been a few posts already on the local Linux kernel privilege escalation, which has received the CVE-2013-2094 ID. arstechnica has a write-up with links to good resources on the Internet, but I definitely want to point readers to the explanation that Brad Spengler made on the vulnerability.
In …
Overview of Linux capabilities, part 2
by Sven Vermeulen, post on Sun 05 May 2013As I've (in a very high level) described capabilities and talked a bit on how to work with them, I started with a small overview of file-related capabilities. So next up are process-related capabilities (note, this isn't a conform terminology, more some categorization that I do myself).
- CAP_IPC_LOCK
- Allow the …
Another Gentoo Hardened month has passed
by Sven Vermeulen, post on Thu 18 April 2013Another month has passed, so time to mention again what we have all been doing lately ;-)
Toolchain
Version 4.8 of GCC is available in the tree, but currently masked. The package contains a fix needed to build hardened-sources, and a fix for the asan (address sanitizer). asan support in …
Gentoo Hardened progress meeting of march 2013
by Sven Vermeulen, post on Thu 07 March 2013Another month has passed, so time for a new progress meeting...
Toolchain
GCC v4.7 has been unmasked, allowing a large set of users to test out the new GCC. It is also expected that GCC 4.8-rc1 will hit the tree next week. In the hardened-dev overlay, hardened support …
Uploading selinuxnode test VM
by Sven Vermeulen, post on Mon 25 February 2013At the time of writing (but I'll delay the publication of this post a few hours), I'm uploading a new SELinux-enabled KVM guest image. This is not an update on the previous image though (it's a reinstalled system - after all, I use VMs for testing, so it makes sense to …
Gentoo Hardened goes onward (aka project meeting)
by Sven Vermeulen, post on Thu 07 February 2013It's been a while again, so time for another Gentoo Hardened online progress meeting.
Toolchain
GCC 4.8 is on development stage 4, so the hardened patches will be worked on next week. Some help on it is needed to test the patches on ARM, PPC and MIPS though. For …