Re: [RFC][PATCH} 2.6 and grsecurity

[Valdis . Kletnieks]

On Mon, 16 Feb 2004 18:15:46 PST, Chris Wright said:
> * Valdis.Kletnieks@xxxxxx (Valdis.Kletnieks@xxxxxx) wrote:
> > Here's the patch, versioned against 2.6.3-rc3-mm1. Comments?
> 
> Aside of the dubious security value...the typical no #ifdefs apply here.

Agreed - the only one that seems at all a *big* win is randomizing PID's
(and even there it probably should default a higher value for pid_max to
increase the search space).  But as long as I was looking at it anyhow.. :)

> 
> > +#ifdef CONFIG_SECURITY_RANDID
> > +	if (security_enable_randid)
> > +		id = ip_randomid();
> > +	else
> > +#endif
> 
> e.g. move the ifdef to header and move the if(enable) bit to ip_randomid().
> ditto for all similar cases below.  it's not clear to me these are
> particularly useful features though.

OK.. I can do that easily enough - only reason I didn't was because that would
force the inclusion of ip_randomid() and the corresponding call even when the
feature wasn't selected, making it more intrusive (the 'else' clause is also the
"when not configured at all" code - moving the whole if/then/else to another
function was more intrusive, to my thinking..)

> 
> > + * 3. All advertising materials mentioning features or use of this softwar
e
> > + *    must display the following acknowledgement:
> > + *    This product includes software developed by Niels Provos.
> 
> Advertsing clause...this is not GPL compatible.

Thanks for spotting that.  It's the same way in grsecurity's patch - do they
have an issue as well?  Or they OK because they're only doing a separately
distributed patch?

Attachment: pgp00000.pgp
Description: PGP signature