The openwall-patches for the linux kernel from Solar Designer add non-excecutable-stack support (with trampoline-support), /proc and /tmp restrictions and new features for setrlimit. It's pretty much a very small version of grsecurity. It doesn't have as much features but it's much smaller and very well audited (you know Solar Designer ;)). IMHO worth an inclusion in portage, the patch for 2.4.21 is the first one for 2.4.x with a version >0.
Created attachment 13549 [details] 2.4.21-owl-r1 ebuild
Created attachment 13550 [details] The patch (2.4.21-ow1)
Created attachment 16163 [details] Updated ebuild to -ow2
Created attachment 16164 [details] Updated patch to -ow2
I agree that these sources should be included in portage. Pfeifer, what do you think of adding these?
Due to the nature of -sources ebuilds I think we would want to have a maintainer for this package. I also personally feel that as this package only contains 1 patch we should not have to repackage it thus avoiding having different md5sum signatures vs the ones solar_diz has for his tar.gz releases we could simply grab the src tarball from http://openwall.com/linux/linux-${OKV}-${PATCH_BASE}.tar.gz unpack, do some mv magic via the ebuild. Also to make it very easy to bump revisions the ebuild could be written so it does not require somebody to hand edit OKV & EXTRAVERSION's at every bump. On another note. Another user on the #gentoo-hardened irc channel ( Aetherios ) suggested that this be called openwall-sources vs owl-sources, the logic behind that was "owl" is the name of solar_diz's distribution and openwall is the name of the patch.
Created attachment 16248 [details] openwall-sources-2.2.25.ebuild Ebuild for the 2.2.25 linux kernel patched with the openwall security patch
Created attachment 16249 [details] openwall-sources-2.4.21.ebuild Heres the new openwall-sources ebuild using the ideas solar decided.
Created attachment 16350 [details] openwall-sources-2.4.21.2.ebuild Here is the 'self-maintaining' ebuild for openwall-sources. For instance, to make this work for linux-2.2.25-ow1, copy it to openwall-sources-2.2.25.1.ebuild . The extra number is the openwall release.
Hi guys this bug has not been forgotten about or ignored its just that thus far it seems we have exactly only two people interested in having openwall sources in portage, and unfortunately that's not going to be enough to justify the need. If this is really something you want to see in portage please run this bug# by a gentoo-* mailing list or two and see if there is more interest from others.
Oh btw 2.4.22 came out today.
It seems we don't have much interest in adding this to portage? I suppose anyone planning on running owl-sources can easily enough patch the kernel on their own. Should we close this?
changing resolution to INVALID due to lack of public interest
