Xen users - Jun 2006 - Xen with Grsecurity

Hello,

Has someone ever tried matching Xen and Grsecurity ?

It''s a security patch for the linux kernel that I really appreciate...

I could try to apply it on the Xen kernel, but I''m kinda scared that
it could break a few things.

Especially since Xen (in para-virtualization mode at least) is doing
stuff with the memory / MMU and Grsecurity as far as I know is also
doing stuff on the memory...

So I don''t know if it''s ''safe'' to use...

Any feedback would be greatly appreciated :)

Thanks a lot,

Ugo PARSI

-- 
An apple a day, keeps the doctor away

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Ugo,
> Has someone ever tried matching Xen and Grsecurity ?
Yes. Someone posted in the grsec forums about 2 weeks ago:
http://forums.grsecurity.net/viewtopic.php?t=1490

So far, it is only working with x86_64, but the guy that got it working
is coordinating with the Xen devs about getting head-xen.S patched
correctly. There are major differences between head.S and head-xen.S.

As for working, paxtest produces good results and the grsecurity MAC
system appears to be working correctly. No one else has posted to the
forum though, so it is possible that the only people to try the patch
are myself and the guy that made the patch.

Cheers,

Brad

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Applying Brad''s patch directly to the kernel doesn''t work,
since Xen
then overwrites several of the patched files with it''s own versions.  

I''m working on porting Brad''s patch to Xen.  Currently only
X86-64
paravirutualized guests work.  i386 still needs a little work before it
will boot.

I have a thread on the grsecurity forums that links to the patches as
well as instructions on applying them.  The grsec forums seem to be down
right now.

Let me know if you try to use this and if you have any luck.  Also, if
you do use x86_64 and try this out, please get the paxtest suite from
the PAX team homepage and mail me the output of "paxtest blackhat".

It''s all development, so don''t use it in production anywhere!

Good luck



-----Original Message-----
From: xen-users-bounces@lists.xensource.com
[mailto:xen-users-bounces@lists.xensource.com] On Behalf Of Ugo PARSI
Sent: Thursday, June 29, 2006 4:06 PM
To: xen-users@lists.xensource.com
Subject: [Xen-users] Xen with Grsecurity

Hello,

Has someone ever tried matching Xen and Grsecurity ?

It''s a security patch for the linux kernel that I really appreciate...

I could try to apply it on the Xen kernel, but I''m kinda scared that
it could break a few things.

Especially since Xen (in para-virtualization mode at least) is doing
stuff with the memory / MMU and Grsecurity as far as I know is also
doing stuff on the memory...

So I don''t know if it''s ''safe'' to use...

Any feedback would be greatly appreciated :)

Thanks a lot,

Ugo PARSI

-- 
An apple a day, keeps the doctor away

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users