Features Download

From: Brad Spengler <spender-JNS0hek0TMl4qEwOxq4T+Q <at> public.gmane.org>
Subject: New (final?) grsecurity release and important announcement
Newsgroups: gmane.linux.kernel.grsecurity
Date: Saturday 27th December 2008 23:21:27 UTC (over 10 years ago)
Hi all,

grsecurity 2.1.12 has been released for the 2.4.37 and 
versions of the Linux kernel. Changes since 2.1.11 include numerous 
bugfixes to both grsecurity and PaX. Support for capabilities introduced 
in newer 2.6 kernels has been added to the RBAC system. A case where 
incorrect subject flags were used in policies generated from learning 
has been corrected. Handling of corner cases in vma mirroring has been 
improved. A new feature has been added to PaX in the 2.6 patch: 
PAX_REFCOUNT. This new feature prevents the exploitation of most 
reference count overflow vulnerabilities in the kernel. The feature 
exists for both 32 and 64-bit x86 platforms and is enabled in the medium 
and high security settings of grsecurity. Sanity checking has been added 
at build time for grsecurity to detect too-common misconfigurations of 
PaX we've seen mentioned on the forums. A kernel command line parameter, 
"pax_nouderef" has been added to selectively disable PaX's UDEREF 
feature at boot time.

Requirements/Known Issues:

    * Binutils 2.18 is required for this release, as older versions are 
      incompatible with PaX. This requirement is enforced at build time.
    * PaX, even when completely disabled, is incompatible with a 
      VirtualBox/VMWare host (it can still be used on a guest OS). The 
      source of the incompatibility is not yet known.
    * ATI binary video drivers trigger the UDEREF protection. Whether an 
      exploitable scenario exists within the driver has not been 

Due to the current economic situation, grsecurity recently lost its 
primary sponsor. After discussing the situation for some time with the 
PaX team, I have come to two scenarios for the future of the project. If 
within the next few months I can find one or more sponsors to get the 
project back to its previous level of sponsorship, I'll continue 
development on the project and keep up to date with the latest kernels 
as I've done in the past. If I am unable to find anyone interested in 
sponsoring the project, development and availability of the software 
will end on March 31st. Further public development of PaX will be 

Sponsoring grsecurity has many benefits:

    * I will personally respond to any support requests (you can call me 
      if you wish)
    * You are able to make feature requests to improve the usefulness of 
      grsecurity to your organization
      Some examples of RBAC features written through this offer included 
      hostname support, invertedsocket policies, virtual interface 
      support, and PAM authentication support
    * Upon request, I will review your RBAC policy and report 
      vulnerabilities or make suggestions
    * A logo and a link to your organization will be listed on the 
      sponsors page
    * Helping continue a project with a circle of influence far outside 
      its own userbase

To illustrate this last point, we've put together a graph that shows how 
grsecurity and PaX have influenced security system implementations in 
nearly every mainstream operating system. Over the past eight years of 
our existence, we have not only managed to stay relevant to the current 
state of an ever-evolving industry, but have advanced the state of the 
art and provided real security based on results and not what was most 
commercially profitable. The graph is available at:

I'd like to thank all sponsors of grsecurity, past and present, for 
their help in continuing an important project.

To discuss possible sponsorship, please contact me at 
spender-JNS0hek0TMkt4z/[email protected]

CD: 376ms