|
pappy-
|
morning
|
|
pappy-
|
hola
|
|
trulux
|
hey pappy-
|
|
pappy-
|
como es usted?
|
|
trulux
|
s/es/está/
|
|
trulux
|
fine
|
|
trulux
|
;)
|
|
pappy-
|
�ACTION is lookin at subversion�
|
|
trulux
|
pappy-, kay, i hope i can find a comparison of cvs, svn and other scm's
|
|
guitarra
|
y si yo he desarrollado en glade y antuja, puedo pasarlo a kdevelop?
|
|
trulux
|
btw, i'm finishing the crappy version of selinux backport
|
|
trulux
|
pappy-, i'm in need of a big kernel panic to feel happy
|
|
pappy-
|
trulux: so what is your opinion to the marginal gcc wrapper hack
|
|
trulux
|
pappy-, that was my original point to make our build system really more useful
|
|
pappy-
|
i think its way to go and i will put some documentation about it online.
|
|
trulux
|
so, i agree with it
|
|
antlarr
|
guitarra: son proyectos automake/conf ?
|
|
trulux
|
pappy-, heh, you know the wiki is the place
|
|
pappy-
|
trulux: right, sir.
|
|
pappy-
|
waiting for me.
|
|
guitarra
|
automake
|
|
trulux
|
pappy-, did you checked my gcc wrapper?
|
|
pappy-
|
gimme a link i can look at it
|
|
trulux
|
hopefully is good but doesn't work at all as i left the development before exams
|
|
trulux
|
pappy-, sure
|
|
trulux
|
http://cvs.debian-hardened.org/cgi-bin/viewcvs/debian-hardened/hardened-dev-utils/gcc-hardened?rev=1.4&content-type=text/vnd.viewcvs-markup
|
|
trulux
|
there
|
|
pappy-
|
err, thats a shell script?
|
|
pappy-
|
i dont think i will look at a shell script
|
|
trulux
|
"then run lanzar hardened_flags(), " <- ignore this comment ;D
|
|
pappy-
|
thats not good
|
|
trulux
|
i know
|
|
trulux
|
it's a performance loss
|
|
pappy-
|
�ACTION has a working c version�
|
|
trulux
|
pappy-, what abpout your behind-the-scenes wrapper in C?
|
|
trulux
|
yeah, that's what i mean
|
|
pappy-
|
trulux: i can dig it up if i find it.
|
|
pappy-
|
�ACTION has too much /space�
|
|
pappy-
|
and i am afraid its buried on my gentoo account
|
|
trulux
|
:O
|
|
trulux
|
i remember that
|
|
trulux
|
http://dev.gentoo.org/~pappy/.hive/hardened-wrapper-1.4.2.c
|
|
trulux
|
not found
|
|
trulux
|
:(
|
|
pappy-
|
ah, yes
|
|
pappy-
|
that one
|
|
pappy-
|
too bad :-(
|
|
trulux
|
i have really big hard disk too (120 + 60 g's)
|
|
pappy-
|
do you happen to find it somewhere?
|
|
trulux
|
lots of pr0 stuff fit in them
|
|
trulux
|
pappy-, nope, my own archives
|
|
pappy-
|
�ACTION has to think very hard�
|
|
trulux
|
i think you removed it due to trust problems ;P
|
|
trulux
|
pappy-, find / -type f -name '*wrapper*'
|
|
pappy-
|
trulux: yes, doing already
|
|
trulux
|
let the box think alone, you're feeling like those damn yanks
|
|
trulux
|
;D
|
|
trulux
|
we are dumb europe, spanish & german fuckers, not yanks ...
|
|
trulux
|
;)
|
|
pappy-
|
67 /*
|
|
pappy-
|
68 this function has been powered by http://www.warsteiner.de/en/homepage/index_home.asp
|
|
pappy-
|
69
|
|
pappy-
|
err, yes. well, i found it.
|
|
pappy-
|
70 *cheers* ;-)
|
|
trulux
|
great
|
|
pappy-
|
�ACTION grins�
|
|
pappy-
|
71 */
|
|
trulux
|
HEH!
|
|
trulux
|
http://dev.gentoo.org/~pappy/ <- this still exists
|
|
trulux
|
?
|
|
pappy-
|
trulux: i know
|
|
pappy-
|
i am not fired
|
|
pappy-
|
only suspended
|
|
pappy-
|
for 30 days
|
|
pappy-
|
after that i get fired
|
|
trulux
|
and you still appear on hardened gentoo pages
|
|
pappy-
|
i know
|
|
antlarr
|
no hay más preguntas?
|
|
pappy-
|
okay working on the patch
|
|
pappy-
|
will be done in 5-10 minutas
|
|
pappy-
|
(just have to remove all the gentoo specific stuff and put my name into the copyright *duck*)
|
|
trulux
|
that's good
|
|
trulux
|
btw, i'm trying to compile the new backport
|
|
trulux
|
this would be fun
|
|
trulux
|
5 cents for the first finding the wrong sb->s_id hook
|
|
trulux
|
10 cents for the one that finds first avc_has_perm() hook
|
|
trulux
|
�ACTION is going to be really poor....�
|
|
pappy-
|
i have nfc, so keep on telling me.
|
|
pappy-
|
me just no programmer at all, only real good stealer and joker
|
|
trulux
|
;D
|
|
trulux
|
as me then heh
|
|
pappy-
|
# define __GCC_AUTOPIE_DISABLE__
|
|
pappy-
|
i name it this way, right?
|
|
antlarr
|
felix: ¿has visto ya lo de autocompletar?
|
|
antlarr
|
algo más? ¿o lo doy por concluido?
|
|
trulux
|
pappy-, right
|
|
pappy-
|
so and we are renaming the actual /usr/bin/gcc to /usr/bin/realgcc and then just move our wrapper in, right?
|
|
pappy-
|
otherwise we need config files and keep track of which is which and such
|
|
pappy-
|
all the fun
|
|
trulux
|
yes
|
|
trulux
|
gcc in debian is normally named gcc-VERSION
|
|
trulux
|
gcc-3
|
|
pappy-
|
cool
|
|
trulux
|
gcc-3.3
|
|
trulux
|
gcc-3.4
|
|
pappy-
|
and symlinks done, right?
|
|
trulux
|
and so on
|
|
trulux
|
yes
|
|
trulux
|
gcc is a symlink
|
|
pappy-
|
cool for me
|
|
trulux
|
for us
|
|
trulux
|
;D
|
|
pappy-
|
for me writing the wrapper
|
|
pappy-
|
kid
|
|
trulux
|
LOL:
|
|
trulux
|
lorenzo@estila:~/kernel/selinux/linux-2.4.28-selinux $ make SUBDIRS=security
|
|
trulux
|
avtab.c:414: error: `SLAB_PANIC' undeclared (first use in this function)
|
|
trulux
|
this is going to make a BUG pain in my ass
|
|
pappy-
|
trulux: i tried installing debian on a workstation today. the scsi hard disk crashed.
|
|
pappy-
|
trulux: that is going to be a bad sign, i guess.
|
|
pappy-
|
�ACTION grins evily.�
|
|
trulux
|
it sounds like MUAHAHAHAHA TYHIS BACKPORT SUCKS AS A BLOODY ASS!
|
|
trulux
|
pappy-, ok, i must do some hacking on it before the talk
|
|
trulux
|
i'm smelling somehting that stinks that comes from security/avtab.c
|
|
pappy-
|
�ACTION raises eyebrow�
|
|
trulux
|
nope, it's from the security server code
|
|
trulux
|
Smalley said it is "almost" kernel-independent <- i get now the point of "almost"
|
|
trulux
|
�ACTION says: f*ck!�
|
|
pappy-
|
20:26 pappy@papillon wrapper $ /tmp/wrapper -v
|
|
pappy-
|
defusing PIE support
|
|
pappy-
|
defusing SSP support
|
|
pappy-
|
Reading specs from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.4/specs
|
|
trulux
|
great
|
|
trulux
|
btw, i fixed my error:
|
|
pappy-
|
now playing: 20:26 pappy@papillon wrapper $ env grep GCC
|
|
pappy-
|
GCC_AUTOPIE_DISABLE=1
|
|
pappy-
|
GCC_AUTOSSP_DISABLE=1
|
|
pappy-
|
now playing: /home/pappy/musik/4/house/2raumwohnung/13_-_2raumwohnung_-_ich_and_elaine_(naughtys_couture-pulse).mp3
|
|
trulux
|
tdinc -iwithprefix include -DKBUILD_BASENAME=services -c -o services.o services.c
|
|
trulux
|
services.c:29:25: linux/audit.h: No existe el fichero o el directorio
|
|
trulux
|
services.c: En la función `compute_sid_handle_invalid_context':
|
|
trulux
|
services.c:583: aviso: implicit declaration of function `audit_log'
|
|
pappy-
|
i like that language thing
|
|
pappy-
|
"En la funcion"
|
|
trulux
|
;D
|
|
pappy-
|
i always get off on those details
|
|
trulux
|
just i'm getting linux/audit.h from NSA's cvs
|
|
trulux
|
i hate those stupid guys that bounce and say that anything from NSA is bad
|
|
trulux
|
just read a spanish article on a lug site about it
|
|
trulux
|
and find a stupid comment
|
|
trulux
|
...lah
|
|
pappy-
|
yeah, the NSA is just protecting innocent children from getting robbed on their way to school.
|
|
pappy-
|
nothing to be worried about.
|
|
trulux
|
XD
|
|
trulux
|
i mean its parts
|
|
trulux
|
the OS and Information Assurance Research department
|
|
trulux
|
that's the one behind SELinux
|
|
trulux
|
not the NSA
|
|
trulux
|
people often ignores things and they talk about them without knowing at all what's going on+
|
|
pappy-
|
a little paranoia never hurts.
|
|
trulux
|
yeah
|
|
trulux
|
pappy-, how goes the wrapper stuff?
|
|
trulux
|
wanna cvs' it?
|
|
pappy-
|
working on it
|
|
pappy-
|
trying to avoid off-by-one errors
|
|
pappy-
|
:-)
|
|
pappy-
|
63 // copy the list and nullify the last two arguments
|
|
pappy-
|
64 for (newargc=0; newargc < argc; newargc++)
|
|
pappy-
|
do you think thats okay?
|
|
pappy-
|
i am thinking about it atm
|
|
pappy-
|
and working it through in my head
|
|
trulux
|
pappy-, for appending ARGS?
|
|
pappy-
|
yow, sure
|
|
trulux
|
then it seems right
|
|
trulux
|
right++
|
|
pappy-
|
yeah, what most people miss on that: for() loops are like do {} while() loops
|
|
pappy-
|
the first fuck is free, and from then on it counts.
|
|
trulux
|
yeah
|
|
trulux
|
pappy-, talk going to start
|
|
trulux
|
you will have talk privileges
|
|
pappy-
|
well, let me go to the lavatory for a second
|
|
trulux
|
wanna get charge of toolchain part?
|
|
pappy-
|
then i come on
|
|
trulux
|
your first job in debhard
|
|
pappy-
|
yeah, i take the toolchain part :-)
|
|
pappy-
|
thanks man
|
|
pappy-
|
be there in 5 mins
|
|
trulux
|
you're welcome
|
|
trulux
|
ok
|
|
trulux
|
just one pee kay?
|
|
trulux
|
�ACTION nods�
|
|
pappy-
|
trulux: dont forget to introduce yourself
|
|
trulux
|
sure
|
|
pappy-
|
�ACTION is back�
|
|
trulux
|
and you
|
|
pappy-
|
lets start
|
|
trulux
|
pappy-, ok, one minute
|
|
trulux
|
pappy-, 10 minutes and then start
|
|
pappy-
|
k
|
|
pappy-
|
yeah
|
|
pappy-
|
your choice
|
|
trulux
|
read the slides quickly
|
|
trulux
|
http://www.debian-hardened.org/papers/hardened-debian-en-2005/siframes.html
|
|
pappy-
|
hehe
|
|
trulux
|
pappy-, see Proof of the Proactive Security Concept (III) , it's pure fun
|
|
trulux
|
check the hardcoded string
|
|
pappy-
|
skip HP-UX, it is an Operating System, no Hardware Platform
|
|
pappy-
|
you mean HPPA
|
|
trulux
|
yea
|
|
trulux
|
it was a mistake
|
|
pappy-
|
this PaX wikipedia article is crap imho.
|
|
pappy-
|
its from bluefoxicy.
|
|
trulux
|
yes
|
|
pappy-
|
and he gives a shit about real securty.
|
|
pappy-
|
he states the fact that "uptime is more precious than security"
|
|
pappy-
|
but that is sheer nonsense
|
|
trulux
|
bluefoxicy is a bit conservative in political terms, also he talks a lot, does less
|
|
pappy-
|
once rooted, you ain't having uptime anymore
|
|
trulux
|
yeah, heh
|
|
trulux
|
anyway he doesn't know much about MAC/DAC/RBAC style protections
|
|
trulux
|
ok
|
|
trulux
|
3 minutes
|
|
pappy-
|
i am so stage frightened
|
|
pappy-
|
am i allowed to greet my mummy?
|
|
pappy-
|
i really feel prominent now
|
|
trulux
|
hehe
|
|
trulux
|
pappy-, ok, time to play
|
|
trulux
|
let's start
|
|
pappy-
|
questions will be answered here by me and trulux, feel free to ask please :-)
|
|
trulux
|
yeah, forgot to say that
|
|
trulux
|
sorry ;-)
|
|
krocz
|
PaX tambien protege del ataque de escritura del HEAP
|
|
krocz
|
?
|
|
alejandro
|
trulux: then now you can program *insecure* code with libssp. :-)
|
|
trulux
|
alejandro, it's all your stupid decission to do it, we do the right thing anyway ;D
|
|
trulux
|
�ACTION nods�
|
|
trulux
|
alejandro, the point is that we don't need to trust in upstreams
|
|
trulux
|
so, they can code something in a bad way, and we can prevent it if it applies to some patterns
|
|
alejandro
|
trulux: then is MLS that protects attacks like 'rm -rf' with polices, no?
|
|
trulux
|
answered on #linux
|
|
ajmitch
|
trulux: derivatives getting benefits will require that hardened-debian changes get into debian
|
|
ajmitch
|
which can be a long process :)
|
|
riel
|
trulux: how will you make sure all of Debian's packages work with PaX ?
|
|
riel
|
because if something doesn't work, people will end up disabling the security measures ...
|
|
trulux
|
riel, collaborating with upstreams
|
|
trulux
|
also we have known what exactly (most) breaks with PaX
|
|
trulux
|
i have a 42 page whitepaper about these things but never got released, originally for the Honeynet project
|
|
trulux
|
JVM for example breaks and needs per-file basis config
|
|
ajmitch
|
JVM has often been known to have issues with such security measures
|
|
riel
|
yeah, but how are you going to be able to fix eg. a JVM that is shipped by some other software vendor ?
|
|
riel
|
say, the JVM that's Oracle's installer ;)
|
