[ubuntu-hardened] Probably not in time for Hardy, but just maybe...
Jeff Schroeder
jeffschroed at gmail.com
Thu Mar 27 23:27:58 GMT 2008
On Thu, Mar 27, 2008 at 3:58 PM, Kees Cook <kees at ubuntu.com> wrote:
> On Thu, Mar 27, 2008 at 03:44:25PM -0700, Jeff Schroeder wrote:
> > A little security never hurt anyone. If memory serves, these make ASLR
> > pretty much complete in Linux. Now you don't need to use PaX for ASLR
> > anymore.
> >
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cc503c1b43e002e3f1fed70f46d947e2bf349bb6
>
> This is already in Hardy[1] -- I made sure of it. Note that to use it,
> you need to have a PIE-compiled application to start with (same was true
> for PaX). We don't have a lot of those, but we do have some in Hardy
> (ssh and dbus, AFAIR).
>
>
> > http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c1d171a002942ea2d93b4fbd0c9583c56fce0772
>
> This would have been nice to have, except that Jiri already went several
> rounds with the PIE patches (for which I was doing testing) that had
> various regressions, that I didn't want to introduce the brk offset
> randomization too. This will be in intrepid though, and hopefully with
> PIE builds by default we'll be totally done. :):)
>
> -Kees
>
> [1] http://www.outflux.net/blog/archives/2008/01/15/full-aslr-in-hardy/
>
Even better!
Is there a sane way to get the compile flags without having every
single source archive in the repository to see what is PIE and whats
not?
Is avahi on that list? Even with a chroot, it worries me that it is
installed and listening by default.
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
More information about the ubuntu-hardened
mailing list