Dec 26, 2019
Speaking of role based access control for Linux, this is your yearly reminder that Brad Spengler/Spender/whatever he calls himself is a fucking douchenugget.
Loading...
seen from Türkiye
seen from Sweden
seen from United States
seen from Canada
seen from United States
seen from Sweden
seen from Yemen
seen from China
seen from Malaysia
seen from China
seen from Malaysia
seen from United States
seen from China
seen from China
seen from Malaysia
seen from Canada
seen from Malaysia
seen from China
seen from China
seen from United States
Speaking of role based access control for Linux, this is your yearly reminder that Brad Spengler/Spender/whatever he calls himself is a fucking douchenugget.
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
GRSecurity
I've been out of the loop on Linux security for a long time (probably a year now) but HOLY BABY JESUS I always knew Brad Spengler was a twat. https://mobile.twitter.com/marcan42/status/724745886794833920 https://mobile.twitter.com/marcan42/status/724831935818809345
Last ESK 3.14.51 Released
Today i am releasing last ESK kernel due to the changes that recently was done by grsecurity and PAX team. It is build upon latest publicly available patch for kernel 3.14.51 (no longer available for download). You can grab binary builds here:
- ESK 3.14.51-pv(GPGsignature) sha256: b62d82b3056fa49c0219c2dd345d24966ce21957c5744722522ec0c0f4944efa
- ESK 3.14.51-hvm(GPGsignature) sha256: 388c43175bdb6c6d3a9edfac480c68a6e48dcbfd944d9280f5ccb9e57ca1a60a
Both builds are compiled using GCC5.2 and are optimized for Ivy Bridge processors (minimum required: E5-2670 v2).
ESK 3.14.49 Released
New kernels from ESK are available today:
- ESK 3.14.49-pv(GPGsignature) sha256:ac08e779e2301df42d56bd62e668d836f11b3704fb443ad26b2eb42e76a0934d
-ESK 3.14.49-hvm(GPGsignature) sha256:ac30a108d61442bb72b0213ceb7afe46ec0fe97c1e61901315eff1b1fecdff50
This builds are compiled with latest GCC5.2 and include most recent version of grsecurity. Also, in this release size overflow plugin have been re-enabled.
If you wish to compile ESK yourself, here are configs for kernels for AWS ec2: pv and hvm.
Enjoy
ESK 3.14.39 for HVM and PV Released (u)
Update: I have prepared new builds (#2) with GCC 4.9 which implies use of -fstack-protector-strong for better buffer overflow protection.
New release of ESK is available for both PV and HVM virtualisation:
- ESK 3.14.39-pv2(GPG signature) sha256:bfe1da235931506a5a9f35d00d382d77eb61a39a6762822bf5cd5f0845a01b64
- ESK 3.14.39-hvm2(GPG signature) sha256:b8aa3b48e55156a3ed85f53f332e74b782d51ed4c0ac1609b442491584c93448
Among standard updates from vanilla kernel and grsecurity, in this release I have enabled support for Brtfs.
Anya is live and ready to show you everything. Watch her strip, dance, and perform exclusive shows just for you. Interact in real-time and make your fantasies come true.
Free to watch • No registration required • HD streaming
ESK 3.14.32 for HVM Released
I am pleased to announce that now ESK works with ec2 HVM virtualization. It also supports Enchanced Networking (10Gb non-blocking interface) on supported instance types, driver ixgbevf is compiled-in. This version of ESK was tested on Ubuntu and Debian images with grub boot loader. As always this release contains most recent version of grsecurity patch.
-ESK 3.14.32-HVM (GPG Signature) md5: d1b16b21f0c6c693259ac1dbc1db3fe6
Installation (based on official Debian AMI ami-61e56916):
I like grub, so let's remove extlinux (syslinux) from system:
apt-get remove extlinux cd /boot/ chattr -i extlinux/ldlinux.sys rm -rf extlinux dd if=/dev/zero of=/dev/sda bs=440 count=1
now install grub:
apt-get update apt-get install grub-pc grub-pc-bin grub-legacy-ec2 ("no" to /dev/sda, "yes" to xvda) Alternative or when grub is already there: grub-install --recheck --force /dev/xvda
and finally install ESK for HVM:
cd /boot/ wget http://download.onefellow.com/esk/vmlinuz-3.14.32-grsec-esk-hvm.tar.gz (always check for signature!) tar -zxvf vmlinuz-3.14.32-grsec-esk-hvm.tar.gz rm vmlinuz-3.14.32-grsec-esk-hvm.tar.gz update-grub2 reboot -t now
that's it. I was trying to keep kernel config as minimal as possible and yet support some nice features, you can always strip-down it a bit if you don't need some of it's features. Kernel config for ec2 hvm can be downloaded here: config-3.14.32-grsec-esk-hvm.
Important bonus: Since we now need to use grub stuff on hvm, we have to fix grub utils. Unfortunately PAX will not allow as to run them without modifying some headers. You have to install paxctl tool (from repo or PAX team website) and issue following commands:
paxctl -Cpemrxs /usr/sbin/grub-probe paxctl -Cpemrxs /usr/sbin/grub-mkdevicemap paxctl -Cpemrxs /usr/sbin/grub-setup paxctl -Cpermxs /usr/bin/grub-script-check
voila. Note that this disables PAX features on that binaries.
18 December 2014
RBAC policies all setup! grsecurity's learning mode is quite excellent, and the policies themselves are in a very understandable format. I'm now running firefox outside of a VM, because running it inside a VM had mediocre performance (which I am willing to put up with) and miserable CPU usage/battery life even when idle, which I am not willing to put up with. I set its policy so that it can't touch any files outside of ~/Downloads and its profile/cache directories (~/.mozilla). I'm still worried about graphics-stack related attacks, so I've set webgl.disabled to true, which closes up web-accessible GL. I refuse to install Java on the root OS, and proprietary software such as Flash is obviously out. Chromium has more strict sandboxing etc than Firefox, but Firefox is still improving on that front, and I prefer it. Maybe soon I can use Servo as my day-to-day browser...
Updating plans available too, to ensure you stay with the latest code over time. Test driving the single, 'no update', package thanks to a free coupon from spender.