* [kernel-hardening] Getting started @ 2017-01-29 18:43 Eddie Kovsky 2017-01-30 13:41 ` Vaishali Thakkar 0 siblings, 1 reply; 9+ messages in thread From: Eddie Kovsky @ 2017-01-29 18:43 UTC (permalink / raw) To: kernel-hardening Hi I'm interested in helping out with this project. I have a few small patches in the kernel. I just finished the Eudyptula Challenge and I'm looking for places where I can continue to contribute. I've been reading the list for several months now. I think I have a general understanding of the development process. Is there a specific TODO item I could start off with? Eddie ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-01-29 18:43 [kernel-hardening] Getting started Eddie Kovsky @ 2017-01-30 13:41 ` Vaishali Thakkar 2017-01-30 21:44 ` Kees Cook 0 siblings, 1 reply; 9+ messages in thread From: Vaishali Thakkar @ 2017-01-30 13:41 UTC (permalink / raw) To: Eddie Kovsky, kernel-hardening On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: > Hi Hi, > I'm interested in helping out with this project. > > I have a few small patches in the kernel. I just finished the Eudyptula > Challenge and I'm looking for places where I can continue to contribute. > > I've been reading the list for several months now. I think I have a general > understanding of the development process. Is there a specific TODO item I > could start off with? Here, is one TODO list: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project Although I think few people are already working on some of these things. May be you can also check the archives of a mailing list. > Eddie > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-01-30 13:41 ` Vaishali Thakkar @ 2017-01-30 21:44 ` Kees Cook 2017-02-03 3:11 ` Eddie Kovsky 2017-02-09 7:06 ` Djalal Harouni 0 siblings, 2 replies; 9+ messages in thread From: Kees Cook @ 2017-01-30 21:44 UTC (permalink / raw) To: Vaishali Thakkar; +Cc: Eddie Kovsky, kernel-hardening On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar <vaishali.thakkar@oracle.com> wrote: > On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: >> >> Hi > > > Hi, > >> I'm interested in helping out with this project. >> >> I have a few small patches in the kernel. I just finished the Eudyptula >> Challenge and I'm looking for places where I can continue to contribute. Hi! Welcome to the list. :) >> I've been reading the list for several months now. I think I have a >> general >> understanding of the development process. Is there a specific TODO item I >> could start off with? What areas of the kernel are you the most familiar with, and/or what things are you interested in working on? That could help me tailor some suggestions. > Here, is one TODO list: > > https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project > > Although I think few people are already working on some of these things. > May be you can also check the archives of a mailing list. The list is a bit terse (it's mostly been a brain dump as things come up), but yeah, if you see something there and want to know more, just ask. I'm happy to expand on any of them. Thanks! -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-01-30 21:44 ` Kees Cook @ 2017-02-03 3:11 ` Eddie Kovsky 2017-02-03 4:28 ` Vaishali Thakkar 2017-02-09 7:06 ` Djalal Harouni 1 sibling, 1 reply; 9+ messages in thread From: Eddie Kovsky @ 2017-02-03 3:11 UTC (permalink / raw) To: Kees Cook; +Cc: Vaishali Thakkar, kernel-hardening On 01/30/17, Kees Cook wrote: > On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar > <vaishali.thakkar@oracle.com> wrote: > > On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: > > > >> I'm interested in helping out with this project. > >> > >> I have a few small patches in the kernel. I just finished the Eudyptula > >> Challenge and I'm looking for places where I can continue to contribute. > > Hi! Welcome to the list. :) > > >> I've been reading the list for several months now. I think I have a > >> general > >> understanding of the development process. Is there a specific TODO item I > >> could start off with? > > What areas of the kernel are you the most familiar with, and/or what > things are you interested in working on? That could help me tailor > some suggestions. > > > Here, is one TODO list: > > > > https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project > > > > Although I think few people are already working on some of these things. > > May be you can also check the archives of a mailing list. > > The list is a bit terse (it's mostly been a brain dump as things come > up), but yeah, if you see something there and want to know more, just > ask. I'm happy to expand on any of them. > I noticed there's been some activity recently with HARDENED_USERCOPY. And I looked over how mm/usercopy.c was merged in from the grsecurity patch. I'm curious about this TODO item: Identify and extend HARDENED_USERCOPY to other usercopy functions (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, csum_and_copy_to_user, csum_partial_copy_nocheck?) It doesn't look like anyone is working on this task right now. But it's not obvious (to me) what needs to happen to make progress with this. Would this be a good task to start off with? Thanks Eddie > Thanks! > > -Kees > > -- > Kees Cook > Pixel Security ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-02-03 3:11 ` Eddie Kovsky @ 2017-02-03 4:28 ` Vaishali Thakkar 2017-02-04 0:13 ` Kees Cook 0 siblings, 1 reply; 9+ messages in thread From: Vaishali Thakkar @ 2017-02-03 4:28 UTC (permalink / raw) To: Eddie Kovsky, Kees Cook; +Cc: kernel-hardening On Friday 03 February 2017 08:41 AM, Eddie Kovsky wrote: > On 01/30/17, Kees Cook wrote: >> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar >> <vaishali.thakkar@oracle.com> wrote: >>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: >>> >>>> I'm interested in helping out with this project. >>>> >>>> I have a few small patches in the kernel. I just finished the Eudyptula >>>> Challenge and I'm looking for places where I can continue to contribute. >> >> Hi! Welcome to the list. :) >> >>>> I've been reading the list for several months now. I think I have a >>>> general >>>> understanding of the development process. Is there a specific TODO item I >>>> could start off with? >> >> What areas of the kernel are you the most familiar with, and/or what >> things are you interested in working on? That could help me tailor >> some suggestions. >> >>> Here, is one TODO list: >>> >>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project >>> >>> Although I think few people are already working on some of these things. >>> May be you can also check the archives of a mailing list. >> >> The list is a bit terse (it's mostly been a brain dump as things come >> up), but yeah, if you see something there and want to know more, just >> ask. I'm happy to expand on any of them. >> > > I noticed there's been some activity recently with HARDENED_USERCOPY. > And I looked over how mm/usercopy.c was merged in from the grsecurity > patch. I'm curious about this TODO item: > > Identify and extend HARDENED_USERCOPY to other usercopy functions > (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, > csum_and_copy_to_user, csum_partial_copy_nocheck?) > > It doesn't look like anyone is working on this task right now. But it's not > obvious (to me) what needs to happen to make progress with this. Would this > be a good task to start off with? Hi, You may want to read this thread: https://patchwork.kernel.org/patch/9409557/ Kees, may be we should remove this item from the TODO list? > Thanks > > Eddie > >> Thanks! >> >> -Kees >> >> -- >> Kees Cook >> Pixel Security ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-02-03 4:28 ` Vaishali Thakkar @ 2017-02-04 0:13 ` Kees Cook 2017-02-05 17:23 ` Vaishali Thakkar 0 siblings, 1 reply; 9+ messages in thread From: Kees Cook @ 2017-02-04 0:13 UTC (permalink / raw) To: Vaishali Thakkar; +Cc: Eddie Kovsky, kernel-hardening On Thu, Feb 2, 2017 at 8:28 PM, Vaishali Thakkar <vaishali.thakkar@oracle.com> wrote: > On Friday 03 February 2017 08:41 AM, Eddie Kovsky wrote: >> >> On 01/30/17, Kees Cook wrote: >>> >>> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar >>> <vaishali.thakkar@oracle.com> wrote: >>>> >>>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: >>>> >>>>> I'm interested in helping out with this project. >>>>> >>>>> I have a few small patches in the kernel. I just finished the Eudyptula >>>>> Challenge and I'm looking for places where I can continue to >>>>> contribute. >>> >>> >>> Hi! Welcome to the list. :) >>> >>>>> I've been reading the list for several months now. I think I have a >>>>> general >>>>> understanding of the development process. Is there a specific TODO item >>>>> I >>>>> could start off with? >>> >>> >>> What areas of the kernel are you the most familiar with, and/or what >>> things are you interested in working on? That could help me tailor >>> some suggestions. >>> >>>> Here, is one TODO list: >>>> >>>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project >>>> >>>> Although I think few people are already working on some of these things. >>>> May be you can also check the archives of a mailing list. >>> >>> >>> The list is a bit terse (it's mostly been a brain dump as things come >>> up), but yeah, if you see something there and want to know more, just >>> ask. I'm happy to expand on any of them. >>> >> >> I noticed there's been some activity recently with HARDENED_USERCOPY. >> And I looked over how mm/usercopy.c was merged in from the grsecurity >> patch. I'm curious about this TODO item: >> >> Identify and extend HARDENED_USERCOPY to other usercopy functions >> (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, >> csum_and_copy_to_user, csum_partial_copy_nocheck?) >> >> It doesn't look like anyone is working on this task right now. But it's >> not >> obvious (to me) what needs to happen to make progress with this. Would >> this >> be a good task to start off with? > > > Hi, > > You may want to read this thread: > https://patchwork.kernel.org/patch/9409557/ > > Kees, may be we should remove this item from the TODO list? Hm, yeah, or rename it to "find any other APIs that look like copy_to/from_user()". I think Mark already looked through these. Were there any remaining? As for a thing to work about how about this: - provide mechanism to check for ro_after_init memory areas, and reject structures not marked ro_after_init in vmbus_register() The idea here would be to provide a mechanism functions can call to verify that their arguments are const or ro_after_init. I think it'd look a lot like the stuff in kernel/extable.c like kernel_text_address(), but it'd need to ask "is this variable in the rodata section? (Which is complicated by dealing with module rodata sections.) Then vmbus_register() could be modified to require that its arguments are const or ro_after_init. -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-02-04 0:13 ` Kees Cook @ 2017-02-05 17:23 ` Vaishali Thakkar 0 siblings, 0 replies; 9+ messages in thread From: Vaishali Thakkar @ 2017-02-05 17:23 UTC (permalink / raw) To: Kees Cook; +Cc: Eddie Kovsky, kernel-hardening On Saturday 04 February 2017 05:43 AM, Kees Cook wrote: > On Thu, Feb 2, 2017 at 8:28 PM, Vaishali Thakkar > <vaishali.thakkar@oracle.com> wrote: >> On Friday 03 February 2017 08:41 AM, Eddie Kovsky wrote: >>> >>> On 01/30/17, Kees Cook wrote: >>>> >>>> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar >>>> <vaishali.thakkar@oracle.com> wrote: >>>>> >>>>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: >>>>> >>>>>> I'm interested in helping out with this project. >>>>>> >>>>>> I have a few small patches in the kernel. I just finished the Eudyptula >>>>>> Challenge and I'm looking for places where I can continue to >>>>>> contribute. >>>> >>>> >>>> Hi! Welcome to the list. :) >>>> >>>>>> I've been reading the list for several months now. I think I have a >>>>>> general >>>>>> understanding of the development process. Is there a specific TODO item >>>>>> I >>>>>> could start off with? >>>> >>>> >>>> What areas of the kernel are you the most familiar with, and/or what >>>> things are you interested in working on? That could help me tailor >>>> some suggestions. >>>> >>>>> Here, is one TODO list: >>>>> >>>>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project >>>>> >>>>> Although I think few people are already working on some of these things. >>>>> May be you can also check the archives of a mailing list. >>>> >>>> >>>> The list is a bit terse (it's mostly been a brain dump as things come >>>> up), but yeah, if you see something there and want to know more, just >>>> ask. I'm happy to expand on any of them. >>>> >>> >>> I noticed there's been some activity recently with HARDENED_USERCOPY. >>> And I looked over how mm/usercopy.c was merged in from the grsecurity >>> patch. I'm curious about this TODO item: >>> >>> Identify and extend HARDENED_USERCOPY to other usercopy functions >>> (e.g. maybe csum_partial_copy_from_user, csum_and_copy_from_user, >>> csum_and_copy_to_user, csum_partial_copy_nocheck?) >>> >>> It doesn't look like anyone is working on this task right now. But it's >>> not >>> obvious (to me) what needs to happen to make progress with this. Would >>> this >>> be a good task to start off with? >> >> >> Hi, >> >> You may want to read this thread: >> https://patchwork.kernel.org/patch/9409557/ >> >> Kees, may be we should remove this item from the TODO list? > > Hm, yeah, or rename it to "find any other APIs that look like > copy_to/from_user()". I think Mark already looked through these. Were > there any remaining? AFAIK, no. May be get_user, put_user. But I guess it makes sense to change them after uaccess unification work. Previously I found few API functions but they were eventually calling copy_from_user. > As for a thing to work about how about this: > - provide mechanism to check for ro_after_init memory areas, and > reject structures not marked ro_after_init in vmbus_register() > > The idea here would be to provide a mechanism functions can call to > verify that their arguments are const or ro_after_init. I think it'd > look a lot like the stuff in kernel/extable.c like > kernel_text_address(), but it'd need to ask "is this variable in the > rodata section? (Which is complicated by dealing with module rodata > sections.) > > Then vmbus_register() could be modified to require that its arguments > are const or ro_after_init. > > -Kees > ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-01-30 21:44 ` Kees Cook 2017-02-03 3:11 ` Eddie Kovsky @ 2017-02-09 7:06 ` Djalal Harouni 2017-02-10 23:55 ` Kees Cook 1 sibling, 1 reply; 9+ messages in thread From: Djalal Harouni @ 2017-02-09 7:06 UTC (permalink / raw) To: Kees Cook; +Cc: Vaishali Thakkar, Eddie Kovsky, kernel-hardening On Mon, Jan 30, 2017 at 10:44 PM, Kees Cook <keescook@chromium.org> wrote: > On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar > <vaishali.thakkar@oracle.com> wrote: >> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: >>> >>> Hi >> >> >> Hi, >> >>> I'm interested in helping out with this project. >>> >>> I have a few small patches in the kernel. I just finished the Eudyptula >>> Challenge and I'm looking for places where I can continue to contribute. > > Hi! Welcome to the list. :) > >>> I've been reading the list for several months now. I think I have a >>> general >>> understanding of the development process. Is there a specific TODO item I >>> could start off with? > > What areas of the kernel are you the most familiar with, and/or what > things are you interested in working on? That could help me tailor > some suggestions. > >> Here, is one TODO list: >> >> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project >> >> Although I think few people are already working on some of these things. >> May be you can also check the archives of a mailing list. > > The list is a bit terse (it's mostly been a brain dump as things come > up), but yeah, if you see something there and want to know more, just > ask. I'm happy to expand on any of them. In that context, could you please Kees update the kernsec.org wiki about GRKERNSEC_MODHARDEN and Timgad module [1] (name may change...), the proposed solution supports both a global sysctl and a per processes/container settings. Thank you! [1] http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 -- tixxdz ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [kernel-hardening] Getting started 2017-02-09 7:06 ` Djalal Harouni @ 2017-02-10 23:55 ` Kees Cook 0 siblings, 0 replies; 9+ messages in thread From: Kees Cook @ 2017-02-10 23:55 UTC (permalink / raw) To: Djalal Harouni; +Cc: Vaishali Thakkar, Eddie Kovsky, kernel-hardening On Wed, Feb 8, 2017 at 11:06 PM, Djalal Harouni <tixxdz@gmail.com> wrote: > On Mon, Jan 30, 2017 at 10:44 PM, Kees Cook <keescook@chromium.org> wrote: >> On Mon, Jan 30, 2017 at 5:41 AM, Vaishali Thakkar >> <vaishali.thakkar@oracle.com> wrote: >>> On Monday 30 January 2017 12:13 AM, Eddie Kovsky wrote: >>>> >>>> Hi >>> >>> >>> Hi, >>> >>>> I'm interested in helping out with this project. >>>> >>>> I have a few small patches in the kernel. I just finished the Eudyptula >>>> Challenge and I'm looking for places where I can continue to contribute. >> >> Hi! Welcome to the list. :) >> >>>> I've been reading the list for several months now. I think I have a >>>> general >>>> understanding of the development process. Is there a specific TODO item I >>>> could start off with? >> >> What areas of the kernel are you the most familiar with, and/or what >> things are you interested in working on? That could help me tailor >> some suggestions. >> >>> Here, is one TODO list: >>> >>> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project >>> >>> Although I think few people are already working on some of these things. >>> May be you can also check the archives of a mailing list. >> >> The list is a bit terse (it's mostly been a brain dump as things come >> up), but yeah, if you see something there and want to know more, just >> ask. I'm happy to expand on any of them. > > In that context, could you please Kees update the kernsec.org wiki > about GRKERNSEC_MODHARDEN and Timgad module [1] (name may change...), > the proposed solution supports both a global sysctl and a per > processes/container settings. > > Thank you! > > [1] http://www.openwall.com/lists/kernel-hardening/2017/02/02/21 Sure! I added it to the TODO items list, since it doesn't overlap well with the existing Bug/Exploit categories. Thanks! -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-02-10 23:55 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-01-29 18:43 [kernel-hardening] Getting started Eddie Kovsky 2017-01-30 13:41 ` Vaishali Thakkar 2017-01-30 21:44 ` Kees Cook 2017-02-03 3:11 ` Eddie Kovsky 2017-02-03 4:28 ` Vaishali Thakkar 2017-02-04 0:13 ` Kees Cook 2017-02-05 17:23 ` Vaishali Thakkar 2017-02-09 7:06 ` Djalal Harouni 2017-02-10 23:55 ` Kees Cook
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.