Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 93263 - hardened-sources: add SKAS patch (for user-mode-linux) and loop-AES patch
Summary: hardened-sources: add SKAS patch (for user-mode-linux) and loop-AES patch
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High enhancement
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
: 132124 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-05-19 15:53 UTC by Sascha Silbe
Modified: 2007-04-11 20:27 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Silbe 2005-05-19 15:53:09 UTC 
It would be great if you could include the SKAS patch for UML (user mode 
linux) [1] and the POSIX capabilities CAP_INIT_INH_SET patch [2] in 
hardened-sources.

hardened-sources contains almost anything I need (vanilla + security patches) 
with nearly as few bloat as possible (the only major patch is grsecurity). If 
you'd include those two patches, I could stop maintaining my own kernel source.

The SKAS patch [1] is needed for UML to run in SKAS (Separate Kernel Address 
Space) mode which increases security and performance (see also [3]). It can 
be deactivated in the Kernel config.

The POSIX capabilities CAP_INIT_INH_SET patch is needed to use POSIX 
capabilities on a system with an unpatched SysV init (i.e. a normal Gentoo 
system). It sets the Inheritable flag for all capabilities of the init 
process (see also bug #5818). On a system not explicitly changing 
/proc/sys/kernel/cap-bound (and thus activating POSIX capabilities), this has 
no real effect. See [4,5] for more details.


[1] http://www.user-mode-linux.org/~blaisorblade/patches/skas3-2.6/skas-2.6.11-v8/skas-2.6.11-v8.patch.bz2
[2] ftp://ftp.silbe.org/linux/kernel/v2.6/linux-2.6.9-enable_caps.patch
[3] http://user-mode-linux.sourceforge.net/skas.html
[4] http://killa.net/infosec/caps/
[5] http://ftp.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/capfaq-0.2.txt
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2006-05-03 07:19:10 UTC 
*** Bug 132124 has been marked as a duplicate of this bug. ***
Comment 2 Sascha Silbe 2006-06-28 09:09:01 UTC 
POSIX capabilities support has been added to sysvinit, so we don't need the kernel patch (linux-2.6.9-enable_caps.patch) anymore.
loop-AES [1] support would be great, though, since it's plugs several design mistakes of cryptoloop and dm-crypt (but still supports their on-disk formats, so it's nearly a drop-in replacement). The current stable sys-apps/util-linux will include loop-AES support instead of cryptoloop support unless you set USE=old-crypt, BTW.
There's already a loop-AES module ebuild in the tree, but it needs to be rebuilt every time the kernel is updated. Up to now I could save myself that hassle. There's no tool to do it automatically and at least for the those damned nvidia drivers on my workstation, I tend to forget it almost every time.

[1] http://loop-aes.sourceforge.net/loop-AES.README
Comment 3 solar (RETIRED) gentoo-dev 2006-06-28 11:29:07 UTC 
The chnaces of this being included in hardened-sources are slim.. Another unique set of sources would be more suited.
Comment 4 Christian Heim (RETIRED) gentoo-dev 2007-04-11 20:27:09 UTC 
(In reply to comment #3)
> The chnaces of this being included in hardened-sources are slim.. Another
> unique set of sources would be more suited.

I don't see a chance here either.