Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
We need this in the tree and stabilised ASAP for two reasons: 1) The current version of gradm marked stable (2.1.10.200702231759) does not work at all with any instance of hardened-sources presently in the tree - certainly as far as 2.6 is concerned. 2) The latest version that we do have in the tree (2.1.11.200803102037) is subject to some serious bugs which are described here: http://forums.grsecurity.net/viewtopic.php?f=1&t=1928. However, the latest snapshot resolves these bugs (thanks to gengor for confirming). It's a trivial bump - just a matter of renaming and generating a new manifest. I've confirmed that it works with the latest instance of hardened-sources and we'll also be needing it to support a 2.6.24 release.
200803171746 is in the tree now. Please test..
I'm just wondering if we need this conditional dep: || ( sys-apps/paxctl sys-apps/chpax ) Does gradm actually have a requirement for either of these packages? PaX flags can be controlled via RBAC policy in the event that PAX_HAVE_ACL_FLAGS is defined in the kernel .config (which it is in our bespoke level) but this is orthogonal to the presence of either package, iirc. Even if we do need paxctl for some reason, should we perhaps consider dropping the conditional so that chpax is out of the picture?
Well, it doesn't seem to be have killed any kittens and does actually work with the kernels we have now. Any reason not to get this stabilised soon?
working perfect for almost 2 weeks on kernel 2.6.23-hardened-r9, arch X86
solar has marked gradm-2.1.11-200803171746 stable on x86 and amd64. This bug can be closed.
My mistake, please disregard comment #5. Previous builds of gradm are marked stable on ARCH other than just x86/amd64 - though none of them have a stabled hardened-sources release for months+, go figure. The list of previous ARCHs with atleast one previous version of gradm stabled: alpha arm ia64 ppc ppc64 s390 sh
We're now at gradm-2.1.11.200804142058 - meanwhile there were some fixes and updates. I don't exactly know if the 20080310 version is compatible with most recent kernels/grsec patches. I suggest to stabilize that. I'm running it on HPPA without apparent problems, it should be marked ~hppa soon for further testing. The ChangeLog (http://www.grsecurity.net/cvs-gradm2-changelog) speaks about FIXes too, so maybe the old version should be considered buggy? 20080310 -> 20080414 changes follow: * gradm_cap.c, gradm_defs.h: add support for CAP_SETFCAP * gradm.l, gradm_fulllearn_pass1.l, gradm_fulllearn_pass2.l, gradm_fulllearn_pass3.l, gradm_learn_pass1.l, gradm_learn_pass2.l: extend username limits * learn_config: always reduce portage * gradm_analyze.c: fix error checking when not done per-role * gradm_analyze.c: always check for default subjects/objects * Makefile, gradm_parse.c: support policies on files > 2gb
(In reply to comment #7) > We're now at gradm-2.1.11.200804142058 - meanwhile there were some fixes and > updates. I don't exactly know if the 20080310 version is compatible with most > recent kernels/grsec patches. > > I suggest to stabilize that. I'm running it on HPPA without apparent problems, > it should be marked ~hppa soon for further testing. > > The ChangeLog (http://www.grsecurity.net/cvs-gradm2-changelog) speaks about > FIXes too, so maybe the old version should be considered buggy? 20080310 -> > 20080414 changes follow: > * gradm_cap.c, gradm_defs.h: add support for CAP_SETFCAP > * gradm.l, gradm_fulllearn_pass1.l, gradm_fulllearn_pass2.l, > gradm_fulllearn_pass3.l, gradm_learn_pass1.l, > gradm_learn_pass2.l: extend username limits > * learn_config: always reduce portage > * gradm_analyze.c: fix error checking when not done per-role > * gradm_analyze.c: always check for default subjects/objects > * Makefile, gradm_parse.c: support policies on files > 2gb > The current stable version is based on 20080317 snapshot, not 20080310. It's not "buggy" that I can tell. If you find a specific bug, please file/report it. That said I will be calling for 2.1.11.200804142058 to go stable prior/around the same time as 2.6.24-rX as their features do coincide (longer username support, etc.). I doubt there will be a problem using gradm-2.1.11.200804142058 with 2.6.23 kernels but have not verified that. If people want to test and there is no compat issue we could possibly start the stabilization process for gradm-2.1.11.200804142058 a bit earlier.
Removing pending status, CCing remaining ARCHs. Please test/stable gradm-2.1.11-200803171746. Thanks.
ppc stable
Old now anyway. Will file a new bug for different version+remaining arches.
