home.social

#grsecurity — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #grsecurity, aggregated by home.social.

  1. grsecurity @[email protected] ·

    Preparatory patches: github.com/NVIDIA/open-gpu-ker

    Full Kbuild support: github.com/NVIDIA/open-gpu-ker

    #grsecurity compatibility: github.com/NVIDIA/open-gpu-ker

    #grsecurity
  2. grsecurity @[email protected] ·

    Preparatory patches: github.com/NVIDIA/open-gpu-ker

    Full Kbuild support: github.com/NVIDIA/open-gpu-ker

    #grsecurity compatibility: github.com/NVIDIA/open-gpu-ker

    #grsecurity
  3. grsecurity @[email protected] ·

    Preparatory patches: github.com/NVIDIA/open-gpu-ker

    Full Kbuild support: github.com/NVIDIA/open-gpu-ker

    #grsecurity compatibility: github.com/NVIDIA/open-gpu-ker

    #grsecurity
  4. grsecurity @[email protected] ·

    Preparatory patches: github.com/NVIDIA/open-gpu-ker

    Full Kbuild support: github.com/NVIDIA/open-gpu-ker

    #grsecurity compatibility: github.com/NVIDIA/open-gpu-ker

    #grsecurity
  5. grsecurity @[email protected] ·

    Preparatory patches: github.com/NVIDIA/open-gpu-ker

    Full Kbuild support: github.com/NVIDIA/open-gpu-ker

    #grsecurity compatibility: github.com/NVIDIA/open-gpu-ker

    #grsecurity
  6. grsecurity @[email protected] ·

    Our 6.18 #grsecurity LTS release, to be supported through at least the end of 2028, is now available!

    #grsecurity
  7. grsecurity @[email protected] ·

    Our 6.18 #grsecurity LTS release, to be supported through at least the end of 2028, is now available!

    #grsecurity
  8. grsecurity @[email protected] ·

    Our 6.18 #grsecurity LTS release, to be supported through at least the end of 2028, is now available!

    #grsecurity
  9. alip @[email protected] ·

    Lies, damned lies and #statistics: Literature shows it's statistically possible to infer a password from typing habits given access to a side channel which reveals access and/or modification time such as stat(2), fanotify(7) or inotify(7). #grsecurity prevents this with GRKERNSEC_DEVICE_SIDECHANNEL which #sydbox inherited with its Device Sidechannel Mitigations: man.exherbo.org/syd.7.html#Dev #exherbo #linux #security

    #statistics #grsecurity #sydbox #exherbo #linux #security
  10. alip @[email protected] ·

    Lies, damned lies and #statistics: Literature shows it's statistically possible to infer a password from typing habits given access to a side channel which reveals access and/or modification time such as stat(2), fanotify(7) or inotify(7). #grsecurity prevents this with GRKERNSEC_DEVICE_SIDECHANNEL which #sydbox inherited with its Device Sidechannel Mitigations: man.exherbo.org/syd.7.html#Dev #exherbo #linux #security

    #statistics #grsecurity #sydbox #exherbo #linux #security
  11. alip @[email protected] ·

    Lies, damned lies and #statistics: Literature shows it's statistically possible to infer a password from typing habits given access to a side channel which reveals access and/or modification time such as stat(2), fanotify(7) or inotify(7). #grsecurity prevents this with GRKERNSEC_DEVICE_SIDECHANNEL which #sydbox inherited with its Device Sidechannel Mitigations: man.exherbo.org/syd.7.html#Dev #exherbo #linux #security

    #security #linux #exherbo #sydbox #grsecurity #statistics
  12. alip @[email protected] ·

    Lies, damned lies and #statistics: Literature shows it's statistically possible to infer a password from typing habits given access to a side channel which reveals access and/or modification time such as stat(2), fanotify(7) or inotify(7). #grsecurity prevents this with GRKERNSEC_DEVICE_SIDECHANNEL which #sydbox inherited with its Device Sidechannel Mitigations: man.exherbo.org/syd.7.html#Dev #exherbo #linux #security

    #statistics #grsecurity #sydbox #exherbo #linux #security
  13. grsecurity @[email protected] ·

    6.18 has been selected as the next #grsecurity stable kernel version, to be supported through the end of 2028, one year longer than the upstream LTS EOL date of Dec 2027.

    #grsecurity
  14. grsecurity @[email protected] ·

    6.18 has been selected as the next #grsecurity stable kernel version, to be supported through the end of 2028, one year longer than the upstream LTS EOL date of Dec 2027.

    #grsecurity
  15. grsecurity @[email protected] ·

    6.18 has been selected as the next #grsecurity stable kernel version, to be supported through the end of 2028, one year longer than the upstream LTS EOL date of Dec 2027.

    #grsecurity
  16. alip @[email protected] ·

    #sydbox 3.37.3 is released with Trusted Symbolic Links a la CONFIG_GRKERNSEC_LINK of #grsecurity: man.exherbo.org/syd.7.html#Tru #exherbo #security #linux

    #sydbox #grsecurity #exherbo #security #linux
  17. alip @[email protected] ·

    #sydbox 3.37.3 is released with Trusted Symbolic Links a la CONFIG_GRKERNSEC_LINK of #grsecurity: man.exherbo.org/syd.7.html#Tru #exherbo #security #linux

    #sydbox #grsecurity #exherbo #security #linux
  18. alip @[email protected] ·

    #sydbox 3.37.3 is released with Trusted Symbolic Links a la CONFIG_GRKERNSEC_LINK of #grsecurity: man.exherbo.org/syd.7.html#Tru #exherbo #security #linux

    #linux #security #exherbo #grsecurity #sydbox
  19. alip @[email protected] ·

    #sydbox 3.37.3 is released with Trusted Symbolic Links a la CONFIG_GRKERNSEC_LINK of #grsecurity: man.exherbo.org/syd.7.html#Tru #exherbo #security #linux

    #sydbox #grsecurity #exherbo #security #linux
  20. grsecurity @[email protected] ·

    Nice demo: tested a vulnerable Ubuntu 22.04 system for glibc CVE-2025-4802 using Solar Designer's PoC adapted to Ubuntu (replace any occurrence of "myhostname" with "mdns4_minimal"). Even an old #grsecurity 5.4.96 kernel from February 8 2021 prevented exploitation

    #grsecurity
  21. grsecurity @[email protected] ·

    Nice demo: tested a vulnerable Ubuntu 22.04 system for glibc CVE-2025-4802 using Solar Designer's PoC adapted to Ubuntu (replace any occurrence of "myhostname" with "mdns4_minimal"). Even an old #grsecurity 5.4.96 kernel from February 8 2021 prevented exploitation

    #grsecurity
  22. grsecurity @[email protected] ·

    Nice demo: tested a vulnerable Ubuntu 22.04 system for glibc CVE-2025-4802 using Solar Designer's PoC adapted to Ubuntu (replace any occurrence of "myhostname" with "mdns4_minimal"). Even an old #grsecurity 5.4.96 kernel from February 8 2021 prevented exploitation

    #grsecurity
  23. grsecurity @[email protected] ·

    Nice demo: tested a vulnerable Ubuntu 22.04 system for glibc CVE-2025-4802 using Solar Designer's PoC adapted to Ubuntu (replace any occurrence of "myhostname" with "mdns4_minimal"). Even an old #grsecurity 5.4.96 kernel from February 8 2021 prevented exploitation

    #grsecurity
  24. grsecurity @[email protected] ·

    We expect our 6.13 #grsecurity beta to be available within the next two weeks.

    #grsecurity
  25. grsecurity @[email protected] ·

    We expect our 6.13 #grsecurity beta to be available within the next two weeks.

    #grsecurity
  26. grsecurity @[email protected] ·

    We expect our 6.13 #grsecurity beta to be available within the next two weeks.

    #grsecurity
  27. grsecurity @[email protected] ·

    Our 6.12 #grsecurity beta is now available to beta testers for testing

    #grsecurity
  28. grsecurity @[email protected] ·

    Our 6.12 #grsecurity beta is now available to beta testers for testing

    #grsecurity
  29. grsecurity @[email protected] ·

    Our 6.12 #grsecurity beta is now available to beta testers for testing

    #grsecurity
  30. Mathias Krause @[email protected] ·

    Linux kernel hardening does not necessarily have to ruin performance. Quite the opposite is possible! One just has to address performance issues first and gets better security “for free” — sometimes vast performance improvements even!

    Current example: BPF JIT handling. test_bpf.ko is a kernel module exercising various extreme and corner cases of BPF programs the kernel is supposed to handle just fine. However, under certain configurations it makes the kernel busy burn cycles without making real progress. Fixing that allowed us to implement security features in #grsecurity at all stages of the JIT process and basically get them for free. See for yourself…

    …and yes, while waiting for insmod to finish on vanilla Linux, I fixed the tests and did a quick re-run on #grsecurity.

    #grsecurity
  31. Mathias Krause @[email protected] ·

    Linux kernel hardening does not necessarily have to ruin performance. Quite the opposite is possible! One just has to address performance issues first and gets better security “for free” — sometimes vast performance improvements even!

    Current example: BPF JIT handling. test_bpf.ko is a kernel module exercising various extreme and corner cases of BPF programs the kernel is supposed to handle just fine. However, under certain configurations it makes the kernel busy burn cycles without making real progress. Fixing that allowed us to implement security features in #grsecurity at all stages of the JIT process and basically get them for free. See for yourself…

    …and yes, while waiting for insmod to finish on vanilla Linux, I fixed the tests and did a quick re-run on #grsecurity.

    #grsecurity
  32. Mathias Krause @[email protected] ·

    Linux kernel hardening does not necessarily have to ruin performance. Quite the opposite is possible! One just has to address performance issues first and gets better security “for free” — sometimes vast performance improvements even!

    Current example: BPF JIT handling. test_bpf.ko is a kernel module exercising various extreme and corner cases of BPF programs the kernel is supposed to handle just fine. However, under certain configurations it makes the kernel busy burn cycles without making real progress. Fixing that allowed us to implement security features in #grsecurity at all stages of the JIT process and basically get them for free. See for yourself…

    …and yes, while waiting for insmod to finish on vanilla Linux, I fixed the tests and did a quick re-run on #grsecurity.

    #grsecurity
  33. Mathias Krause @[email protected] ·

    Linux kernel hardening does not necessarily have to ruin performance. Quite the opposite is possible! One just has to address performance issues first and gets better security “for free” — sometimes vast performance improvements even!

    Current example: BPF JIT handling. test_bpf.ko is a kernel module exercising various extreme and corner cases of BPF programs the kernel is supposed to handle just fine. However, under certain configurations it makes the kernel busy burn cycles without making real progress. Fixing that allowed us to implement security features in #grsecurity at all stages of the JIT process and basically get them for free. See for yourself…

    …and yes, while waiting for insmod to finish on vanilla Linux, I fixed the tests and did a quick re-run on #grsecurity.

    #grsecurity
  34. Mathias Krause @[email protected] ·

    Linux kernel hardening does not necessarily have to ruin performance. Quite the opposite is possible! One just has to address performance issues first and gets better security “for free” — sometimes vast performance improvements even!

    Current example: BPF JIT handling. test_bpf.ko is a kernel module exercising various extreme and corner cases of BPF programs the kernel is supposed to handle just fine. However, under certain configurations it makes the kernel busy burn cycles without making real progress. Fixing that allowed us to implement security features in #grsecurity at all stages of the JIT process and basically get them for free. See for yourself…

    …and yes, while waiting for insmod to finish on vanilla Linux, I fixed the tests and did a quick re-run on #grsecurity.

    #grsecurity
  35. grsecurity @[email protected] ·

    Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

    #grsecurity
  36. grsecurity @[email protected] ·

    Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

    #grsecurity
  37. grsecurity @[email protected] ·

    Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

    #grsecurity
  38. grsecurity @[email protected] ·

    Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

    #grsecurity
  39. grsecurity @[email protected] ·

    Performance isn't the enemy of security: we care about both. Today's patches finish off a set of security/performance improvements to eBPF. Below we show a ~30x speedup vs vanilla in running the eBPF selftests with every single #grsecurity option enabled!

    #grsecurity
  40. alip @[email protected] ·

    I've submitted one #kernel #bug for #Linux and one for #HardenedBSD today, see: bugzilla.kernel.org/show_bug.c and git.hardenedbsd.org/hardenedbs The issue is (almost) the same and breaks W^X. It has already been mitigated by #sydbox since version 3.15.1: #sydbox denies executable shared memory like #grsecurity does! See: man.exherbolinux.org/syd.7.htm #exherbo

    #kernel #bug #linux #hardenedbsd #sydbox #grsecurity
  41. alip @[email protected] ·

    I've submitted one #kernel #bug for #Linux and one for #HardenedBSD today, see: bugzilla.kernel.org/show_bug.c and git.hardenedbsd.org/hardenedbs The issue is (almost) the same and breaks W^X. It has already been mitigated by #sydbox since version 3.15.1: #sydbox denies executable shared memory like #grsecurity does! See: man.exherbolinux.org/syd.7.htm #exherbo

    #kernel #bug #linux #hardenedbsd #sydbox #grsecurity
  42. alip @[email protected] ·

    I've submitted one #kernel #bug for #Linux and one for #HardenedBSD today, see: bugzilla.kernel.org/show_bug.c and git.hardenedbsd.org/hardenedbs The issue is (almost) the same and breaks W^X. It has already been mitigated by #sydbox since version 3.15.1: #sydbox denies executable shared memory like #grsecurity does! See: man.exherbolinux.org/syd.7.htm #exherbo

    #kernel #bug #linux #hardenedbsd #sydbox #grsecurity
  43. alip @[email protected] ·

    I've submitted one #kernel #bug for #Linux and one for #HardenedBSD today, see: bugzilla.kernel.org/show_bug.c and git.hardenedbsd.org/hardenedbs The issue is (almost) the same and breaks W^X. It has already been mitigated by #sydbox since version 3.15.1: #sydbox denies executable shared memory like #grsecurity does! See: man.exherbolinux.org/syd.7.htm #exherbo

    #exherbo #grsecurity #sydbox #hardenedbsd #linux #bug
  44. alip @[email protected] ·

    I've submitted one #kernel #bug for #Linux and one for #HardenedBSD today, see: bugzilla.kernel.org/show_bug.c and git.hardenedbsd.org/hardenedbs The issue is (almost) the same and breaks W^X. It has already been mitigated by #sydbox since version 3.15.1: #sydbox denies executable shared memory like #grsecurity does! See: man.exherbolinux.org/syd.7.htm #exherbo

    #kernel #bug #linux #hardenedbsd #sydbox #grsecurity
  45. Mathias Krause @[email protected] ·

    I wrote about how C‘s more recent language features make grsecurity maintenance easier and how we pushed the idea even further by adding a new compiler builtin.

    grsecurity.net/reducing_mainte

    The article has quite some code snippets, showing how easy the latter actually is, thanks to a rather stable GCC plugin API.

    #grsecurity #gcc #C

    #grsecurity #gcc #c
  46. Mathias Krause @[email protected] ·

    I wrote about how C‘s more recent language features make grsecurity maintenance easier and how we pushed the idea even further by adding a new compiler builtin.

    grsecurity.net/reducing_mainte

    The article has quite some code snippets, showing how easy the latter actually is, thanks to a rather stable GCC plugin API.

    #grsecurity #gcc #C

    #grsecurity #gcc #c
  47. Mathias Krause @[email protected] ·

    I wrote about how C‘s more recent language features make grsecurity maintenance easier and how we pushed the idea even further by adding a new compiler builtin.

    grsecurity.net/reducing_mainte

    The article has quite some code snippets, showing how easy the latter actually is, thanks to a rather stable GCC plugin API.

    #grsecurity #gcc #C

    #grsecurity #gcc #c
  48. Mathias Krause @[email protected] ·

    I wrote about how C‘s more recent language features make grsecurity maintenance easier and how we pushed the idea even further by adding a new compiler builtin.

    grsecurity.net/reducing_mainte

    The article has quite some code snippets, showing how easy the latter actually is, thanks to a rather stable GCC plugin API.

    #grsecurity #gcc #C

    #c #gcc #grsecurity
  49. Mathias Krause @[email protected] ·

    I wrote about how C‘s more recent language features make grsecurity maintenance easier and how we pushed the idea even further by adding a new compiler builtin.

    grsecurity.net/reducing_mainte

    The article has quite some code snippets, showing how easy the latter actually is, thanks to a rather stable GCC plugin API.

    #grsecurity #gcc #C

    #grsecurity #gcc #c
  50. Mathias Krause @[email protected] ·

    @paulmckrcu, regarding lore.kernel.org/kvm/08ee7eb2-8, we went with option 3 and implemented rcu_kvfree_barrier() in #grsecurity, mainly in need for AUTOSLAB which converts every kmalloc() into a dedicated slab cache, making the issue much more likely to trigger. Placing a call to rcu_kvfree_barrier() at a fitting place in free_module() fixes the leak/uaf issue.

    #grsecurity