Fix several vulnerabilities.

[theLOICofFRANCE]

Hi @minipli ,

I don't know where you are and if you still intend to continue here.

So I send a commit of despair ^^

[miroR]

Thanks, HacKurx, for your efforts.

But I'm curious if anything might be ready for testing, given that I can't really survey the code, yet (if ever)?

I also feel a bit of compunction, for the bad look that all my bugs gave... Nothing wrong, me having reported all the issues that I had --with that one particular system only, of some 3-4 systems that I still use daily or so...--

I'm asking because a signficant fraction of the issues I believe were caused by heat (as minipli claimed --and I'll try and find where and when exactly--), and I found that out when my suspicion that the proc was overheating finally grew large enough to dismantle the entire machine, take out the proc, wipe the cooling paste away with alcohol --nothing showed to be improperly placed, no excess paste to see, no areas not covered with paste-- and to thin-spread it anew on the bottom of the cooler and reassemble the machine.

Nothing was wrong with the cooling paste two years and now a few months ago when I installed the then new cooler, but obviously --by conclusion: same paste now --from the same tube--, and cools perfectly!-- gradually it lost the capacity to cool, too gradually for me to notice properly and timely...

Maybe up to one half, maybe up to more than one half of the issues that I had there were due to heat... So I thought, if there is anything to test from minipli's repo, to bring back justice to his efforts...

Now, let me try and tell exactly when I found out, i.e. when through dismatling and re-spreading --from the same tube-- the cooling paste and reassembling the machine, I figured that out... I need to browse this repo, to tell you...

I'm sorry I postponed telling this, I did have other things on my hands...

(And while I'd be even less comfortable with all the security holes in the stock kernel, I'm also not very comfortable with no Spectre/Meltdown protection either, in the still-much-less-bugs-in-that-machine-of-mine dappersec kernel... And so I prepare offline the text for posting... Also given that I wasn't able to recompile Pale Moon yet:
Building Pale Moon on Devuan fails 2
https://forum.palemoon.org/viewtopic.php?f=37&t=19763
)

[miroR]

I explained in:
fput unable to handle kernel paging request at ffffffbfa02c6430
#19 (comment)
that @minipli voiced the correct suspicion about a fault which, when mended --as I did; explained in the previous post-- makes maybe 1/2 of the bugs that I reported --on that system only of the 3-4 systems that I use all daily or so-- maybe even more of them, disappear...

[miroR]

Sorry, I tried, but I can find when was it that I promised to report that overheating issue solved... However, it was around one month ago now...

[theLOICofFRANCE]

@miroR

Sorry, I tried, but I can find when was it that I promised to report that overheating issue solved... However, it was around one month ago now...

Sorry but you can't expect us to solve your problems because we have more important things to solve.

[TerraTech]

FWIW - if this is now a LTS type kernel, I'd really like to see @HacKurx patches reviewed by @minipli and pulled in proper.

@HacKurx have there been any stability issues with your fork? If not, I may switch over to yours until this is pulled in.

[theLOICofFRANCE]

@TerraTech

have there been any stability issues with your fork?

There shouldn't be any, but it's become less secure than the last kernel upstream.
I advise you more while waiting to use the latest version of the linux kernel configured with this tool:
https://github.com/a13xp0p0v/kconfig-hardened-check

and with this patch:
https://github.com/anthraxx/linux-hardened

Soon you can compile with :
make hardenedExtremeconfig

@TerraTech @miroR
Can you tell me which options you miss the most? (3 answers maximum)

[miroR]

@HacKurx wrote:

Can you tell me which options you miss the most?

It's hard to tell. I need to study those links in detail... (time...)
But I'd say dappersec is still safer than the stock Debian kernel.
See what the kconfig-hardened-check says about 4.9.122:
http://forums.debian.net/viewtopic.php?f=16&t=108616&p=679388#p679387
and about 4.16.0-2-amd64 (Debian latest):
http://forums.debian.net/viewtopic.php?f=16&t=108616&p=679388#p679388

Regards!

[miroR]

@HacKurx, who wrote:
Can you tell me which options you miss the most? (3 answers maximum)

I thought about it:

exec_logging
audit_chdir
RBAC (above all)

[theLOICofFRANCE]

@miroR

exec_logging
audit_chdir

It is possible to do this.

RBAC (above all)

Complicated and no one will want to maintain it in the long term.
It's a pity that Spender isn't keeping this away for the public. I don't see the current interest in letting Gradm at free access....

So It is better to consider for replacement with RSBAC (latest version) or SElinux.

[miroR]

First, from the #30 (comment)
one month and a half old comment of yours:
https://github.com/a13xp0p0v/kconfig-hardened-check
I now compile easily the KSPP kernel, and get it down to 9 failing/missing settings only...
Thanks for a quick actionable advice... Sad to leave grsec, but spender and pipacs seem to have no interest to just give us a boost with the Meltdown and Spectre patches, and it would still be viable... It's not anymore without those...
Second, great if somebody gets exec_logging and audit_chdit into KSPP like you suggest can be done!
And third, I suppose, Gradm without the original authors is unlikely to happen...
https://www.rsbac.org/ will likely be my way to go...
Regards!

[theLOICofFRANCE]

@miroR

I thought about it:

exec_logging

Here is then: 4b7c121

if you want to recover more equivalents: issue-408532627

Best regards,