Megjelent a grsecurity patch 2.0.2-es verziója a 2.4.28-as kernelhez. A 2.6-os kernelekhez új verzió a PaX kód elkészültével jelenik meg.Letöltés:
grsecurity-2.0.2-2.4.28.patch.gz
gradm-2.0.2.tar.gz
Bejelentés:
-------------
From: spender@grsecurity.net
To: grsecurity@grsecurity.net
Subject: [grsec] grsecurity 2.0.2 released for Linux 2.4.28
grsecurity 2.0.2 has been released for Linux 2.4.28. Changes in this
release include:
* PaX updates and addition of PaX code for MIPS, MIPS64, IA64, and
AMD64
* Chroot restrictions no longer allow zombie tasks to display in a
process listing
* Randomized PIDs optimization
* PaX's RANDKSTACK feature is disabled in the high security setting
if the CPU does not support it
* Completely rewritten logging system that significantly reduces the
.text size of the grsec-enabled kernel
* CAP_FOWNER was removed from the set of capabilities disallowed in
a chroot
* The IP address tagging table was moved into the .bss, fixing a
sparc32 booting problem
* PaX ACL hook support was added and is automatically set to the
"direct" method in the kernel configuration
* Fixed sysctl compile error when grsec is disabled
* Fixed RBAC bug with process protect flag
* Fixed any future problems with kernel role in gradm
* Solved memory problems with learning analysis: only one subject
will be resident in memory at a time during full learning analysis
* Caching was added to gradm that dramatically reduces run time of
learning analysis
The largest changes in this release were the logging system rewrite and
the learning analysis rewrite. Previously, all logging in grsecurity was
done through a single, large macro, as this was easiest (and when the
macro was first implemented, it was not very large and not called very
often). Unfortunately, as grsecurity grew, the size of that macro
increased as did the number of callers. This resulted in up to 500kb of
.text being duplicated throughout the grsecurity code. By grouping the
different types of logs and optimizing based on their similarities, I
was able to create a variable argument logging function to replace the
previous macro, resulting in cache improvements and a significantly
smaller kernel .text.
One of the most common problems with the gradm learning analysis was
that large logs caused OOM errors. This was due to unnecessary
allocations, memory leaks, and a problem with the design that required
that all logs be analyzed and reduced, then written out to disk all at
once. I've eliminated the memory leaks, removed the unnecessary
allocations, and modified the system so that after a new subject is
reduced, the generated policy is written out and all allocations for
that subject are freed. This part comes at the additional time cost of
multiple passes through the log file, however.
To speed up the parsing of the log files, I implemented caching for the
routines that insert parsed filenames into filename graphs. This reduced
CPU time for the most used function by about 1000%, as the function has
a high time complexity.
Grsecurity 2.0.3 will include further speed improvements and will
contain a configuration file for learning that will allow you to ignore
learning on certain processes, perform an inherit-based learning on
certain processes, set the cache size of the grlearn daemon, etc.
Grsecurity 2.0.2 will be released for the 2.6 series of kernels when a
PaX port is complete for the latest 2.6 kernel. As the 2.6 series of
kernels are mimicking more of a development series than a stable series,
the 2.4 series of kernels are recommended at this time.
Also, please see the note regarding sponsors on the news page.
Thanks for your support of grsecurity, and enjoy.
-Brad