Category Archives: Notices

My online “office hours”

I am mentoring the develop a kpatch delivery mechanism for the CentOS Google Summer of Code (GSoC) project. Per my recent “office hours” email to the CentOS GSoC, I’ll be online from 10pm to 11pm US Mountain time on weekdays in the #centos-gsoc and #centos-devel chat rooms on irc.freenode.net

I’ve decided that I’ll keep these hours even after the project ends. If anyone wants to get in touch with me outside of email, just drop me a chat during those hours. My username is cormander.

tpe-lkm version 1.1.0 released

A few weeks ago I go an email that tpe-lkm didn’t build on EL7. To be honest, I didn’t even know that EL7 had been released, I’ve been so disconnected from things outside of family and work the past few years.

Anyway, I got back to work and now everything is nice and ready for release. You can download it from the tpe-lkm github project page. It has a few new features as well.

Happy TPE’ing!

tpe-lkm version 1.0.3 released

I’ve started to version my tpe-lkm project as it’s stable now, and today I released version 1.0.3. You can download the files from sourceforge.net or from github. This release contains some code cleanup, and a few bug fixes.

As for the meaning of the version number goes, the 3rd # is for bugfixes, a 2nd # is if new features are added, and if I ever increment the first #, it’ll be a major rewrite of the code. I may do that some day.

Anyway, happy TPE’ing!

Abstract sent to LinuxCon

So I’ve decided to see if I can get a speaking slot at LinuxCon in San Diego this year. Here is the abstract that I sent them. Wish me luck!

I will talk about hooking into pre-compiled distribution linux kernels to add security hardening. This allows for certain security frameworks to be used on kernels that are either 1) too old, 2) don’t have certain config flags set, or 3) don’t use non-mainline security patches. The primary example I’ll be discussing is my implementation of “Trusted Path Execution” as a linux kernel module, the source code of which is here: https://github.com/cormander/tpe-lkm . I may also demo installing AppArmor on a RHEL6 system via a kernel module, if I get the module stable before July.

The audience would be system administrators and developers who manage systems that they can not change the kernel on, or don’t want to manage custom kernel builds. This is important because it allows access to kernel hardening to a lot of people who have their hands tied either by policy or lack of experience.

Bug reported and fixed in tpe-lkm, new version ready

Early this morning I got a bug report from someone that, when the full path to a file is sufficiently long enough, a denied execution of it will throw a NULL pointer exception in the kernel. This evening I researched the issue and coded in a fix. Basically, the error reporting tried to print out a NULL pointer under those conditions. How embarrassing for me to not notice this.

If you’re using the tpe-lkm module, you’ll want to update it. I’ve also bumped the version number.

Many thanks to Panos Sakkos for the bug report!

tpe-lkm is ready for a wider deployment

About a year ago, I posted about me coding a TPE module for distribution kernels. In that time I’ve added some features, fixed some bugs, and deployed it to all of my non-grsecurity systems. With the last known outstanding bug (that I know about) being fixed a little over two weeks ago (and tested) I’m excited to say that, you guessed it, tpe-lkm is ready for wider deployment.

Continue reading

You can find my stuff on GitHub

I’ve been using GitHub a lot more lately, and have found it to be a great service. So, this is me officially saying that any code I reference you should be able to find in one of my github repositories. If I’ve mentioned something to you that isn’t in there, call me out on it; I’ll get it up ASAP.

In order to be more transparent, I’ve started pushing more stuff there. For example, I recently updated my rogue-beret-tools repository with my various snmp nagios plugins (which, by the way, you can also find on my account at Nagios Exchange). I’ve started polishing up some of my scripts and putting them in there as well. I also added a directory for rpm spec files, such as my grsecurity kernel rpm spec file.

Continue reading