Re: exec-shield (maybe ITP kernel-patch-exec-shield)
On Mon, 3 Nov 2003 06:14, Michael Ablassmeier wrote:
> On Mon, Nov 03, 2003 at 02:49:37AM +1100, Russell Coker wrote:
> > It seems that exec-shield does 99% of what PaX does (PaX is the most
> > desirable feature in GRSec). Exec-shield also has support for 2.6 and
> > looks like it will be a standard feature in Red Hat.
> I don't know exec-shield that good, but i think it may be better to not
> only test it one or 2 days. So, let's look how it works for RedHat and
> provide an kernel-patch package (my suggestion).
Exec-shield is apparently in Fedora already, and has been tested extensively
inside Red Hat.
The plan is to get Linus to accept it as a feature for 2.6, but to do this we
need to get it tested more. It is being tested in Fedora, I think that we
should do the same for Debian. Getting this patch deployed on large numbers
of Debian machines is what is necessary to get it accepted by Linus.
I will make a kernel-patch package.
> > If adding exec-shield to the Debian kernel is not considered a good idea
> > then I'll create a kernel-patch package for exec-shield, which will still
> > remove the need to make grsec work with the Debian kernel.
> Even if it has some features which are nice, grsec provides a few more.
> It would be nice to have a working grsec Patch in Debian.
We have recently discussed grsec, and it seems that we will not get grsec as
either a default part of the Debian kernel, or as a patch that can be applied
to a Debian kernel.
PS I am employed by Red Hat, but this has no direct connection to my work.
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page