[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exec-shield (maybe ITP kernel-patch-exec-shield)

On Mon, 3 Nov 2003 06:14, Michael Ablassmeier wrote:
> On Mon, Nov 03, 2003 at 02:49:37AM +1100, Russell Coker wrote:
> > It seems that exec-shield does 99% of what PaX does (PaX is the most
> > desirable feature in GRSec).  Exec-shield also has support for 2.6 and
> > looks like it will be a standard feature in Red Hat.
> I don't know exec-shield that good, but i think it may be better to not
> only test it one or 2 days. So, let's look how it works for RedHat and
> provide an kernel-patch package (my suggestion).

Exec-shield is apparently in Fedora already, and has been tested extensively 
inside Red Hat.

The plan is to get Linus to accept it as a feature for 2.6, but to do this we 
need to get it tested more.  It is being tested in Fedora, I think that we 
should do the same for Debian.  Getting this patch deployed on large numbers 
of Debian machines is what is necessary to get it accepted by Linus.

I will make a kernel-patch package.

> > If adding exec-shield to the Debian kernel is not considered a good idea
> > then I'll create a kernel-patch package for exec-shield, which will still
> > remove the need to make grsec work with the Debian kernel.
> Even if it has some features which are nice, grsec provides a few more.
> It would be nice to have a working grsec Patch in Debian.

We have recently discussed grsec, and it seems that we will not get grsec as 
either a default part of the Debian kernel, or as a patch that can be applied 
to a Debian kernel.

PS  I am employed by Red Hat, but this has no direct connection to my work.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: