Re: [RFC][PATCH} 2.6 and grsecurity

From: Valdis . Kletnieks
Date: Mon Feb 16 2004 - 21:39:07 EST


On Mon, 16 Feb 2004 18:15:46 PST, Chris Wright said:
> * Valdis.Kletnieks@xxxxxx (Valdis.Kletnieks@xxxxxx) wrote:
> > Here's the patch, versioned against 2.6.3-rc3-mm1. Comments?
>
> Aside of the dubious security value...the typical no #ifdefs apply here.

Agreed - the only one that seems at all a *big* win is randomizing PID's
(and even there it probably should default a higher value for pid_max to
increase the search space). But as long as I was looking at it anyhow.. :)

>
> > +#ifdef CONFIG_SECURITY_RANDID
> > + if (security_enable_randid)
> > + id = ip_randomid();
> > + else
> > +#endif
>
> e.g. move the ifdef to header and move the if(enable) bit to ip_randomid().
> ditto for all similar cases below. it's not clear to me these are
> particularly useful features though.

OK.. I can do that easily enough - only reason I didn't was because that would
force the inclusion of ip_randomid() and the corresponding call even when the
feature wasn't selected, making it more intrusive (the 'else' clause is also the
"when not configured at all" code - moving the whole if/then/else to another
function was more intrusive, to my thinking..)

>
> > + * 3. All advertising materials mentioning features or use of this softwar
e
> > + * must display the following acknowledgement:
> > + * This product includes software developed by Niels Provos.
>
> Advertsing clause...this is not GPL compatible.

Thanks for spotting that. It's the same way in grsecurity's patch - do they
have an issue as well? Or they OK because they're only doing a separately
distributed patch?

Attachment: pgp00000.pgp
Description: PGP signature