Tuesday, 13/December/2011

RSBAC 1.4.6 has been released for the kernel 3.1.5.

Most important changes since 1.4.5:

• Add RSBAC syscalls and tools parameters to get and set UM password history size per user
• Security bugfix for sys_open() request types (see earlier post)
• Add rsbac_jail parameter -K for allow_netlink flag
• Add rsbac_usershow parameters to list users with shell or full name

The complete lists of changes are available here:

Kernel changes: http://www.rsbac.org/dl.php?file=code/1.4.6/changes-1.4.6.txt

Admin tools changes: http://www.rsbac.org/dl.php?file=code/1.4.6/admin-changes-1.4.6.txt

Have fun!

Wednesday, 30/Nov/2011

Unfortunately, there is a severe bug in the code that determines the RSBAC request type in sys_open() calls. As a result from this bug, open access will be decided upon by RSBAC with wrong request type, a read open can happen unnoticed. A read() access after opening is intercepted as intended, because only the open interception is wrong.

Affected are all RSBAC git repos for kernels starting from 2.6.35 and the official release 1.4.5 for 2.6.35. RSBAC for kernel 2.6.32 is not affected.

Please update your kernel sources from git or apply the patch for 2.6.35.y, rebuild and reboot to get the bug fixed. I will try to get a new release out for kernel 3.1.4 or later as soon as possible. After fixing, your system might need RSBAC rights adjustments, because the set of accesses changes.

Background: Between 2.6.32 and 2.6.35, the meaning of the flags parameter for sys_open() helper functions changed from some translated internal value to an exact copy of the sys_open() flags parameter. When porting RSBAC code from 2.6.32, we did not notice that change.

Friday, 12/Aug/2011

RSBAC has been successfully ported to Linux kernel 3.0, you find a new git repo at http://git.rsbac.org. Please test it and report so that we can make a new 3.0 based release soon.

Thursday, 14/Jul/2011

RSBAC has been successfully ported to 2.6.39.3, you find a new git repo at http://git.rsbac.org. Please test it and report so that we can make a new release soon.

Friday, 20/May/2011

After having no enhanced kernels (with PaX and RSBAC) for a while, we now have Marcos <natashell at rsbac dot org> as new maintainer of enhanced kernels. Thanks a lot for your help!

Here is his list announcement:

It’s a big pleasure for me announce you that there is a new “Enhaced Kernel” which include RSBAC-1.4.5 and PaX test-24. This one is available from:

http://enhanced.rsbac.org/2.6/

It compiles fine and I think it is working fine also.

Hope you can test it and get your feedback about it.

Friday, 20/May/2011

We also have a git repo for 2.6.38 at http://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-2.6.38.y.git;a=summary

2.6.38 is not long term supported by official kernel, but 2.6.39 has significant changes in some APIs, so porting RSBAC to 2.6.39 will take a while.

Wednesday, 23/February/2011

The GIT repository management has been changed. This is the new layout:

We might eventually add more LTS1) branches as kernel.org adds them, of course.

Please note that we have some documentation on how to use these GIT repositories (for developers and users alike), in case you have questions.

Monday, 21/February/2011

As you may have noticed, our tarball for the RSBAC admin tool version 1.4.5 on http://download.rsbac.org/code/1.4.5/ contained the wrong version numbers in some places and did not reflect the exact 1.4.5 release.

This has been corrected. Sorry for the inconvenience.