Comments on: Process hiding Kernel patch for 2.6.24.x http://www.iezzi.ch/archives/120 Just another Iezzi weblog Tue, 31 Jan 2012 17:24:38 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: anonymous http://www.iezzi.ch/archives/120/comment-page-1#comment-79280 anonymous Sat, 08 Oct 2011 11:19:52 +0000 http://www.iezzi.ch/archives/120#comment-79280 This patch works but it doesn't show any defunct/zombie processes even if you started them. I don't think that is the correct behavior. So, the state of the process needs to be checked before setting inode->i_mode. So if the process is a zombie, then the mode must be S_IFDIR|S_IRUGO|S_IXUGO regardless of what option was chosen. Any ideas? This patch works but it doesn’t show any defunct/zombie processes even if you started them. I don’t think that is the correct behavior. So, the state of the process needs to be checked before setting inode->i_mode. So if the process is a zombie, then the mode must be S_IFDIR|S_IRUGO|S_IXUGO regardless of what option was chosen.
Any ideas?

]]> By: bob http://www.iezzi.ch/archives/120/comment-page-1#comment-17307 bob Sat, 05 Apr 2008 23:34:49 +0000 http://www.iezzi.ch/archives/120#comment-17307 Actually RBSAC protects from vmsplice ;) Proving new kernel support however for a project of this size is sometimes difficult for the few RSBAC developper. E.g. 2.6.24 (which has the vmsplice fix, if you aren't willing to patch 2.6.23 yourself) introduced a whole new PID architecture using structs. This means changing the core way RSBAC identify processes. It took 2 weeks to code. IMHO this is rather fast, even if not acceptable for security. But in that case, you *should* use your distro kernels or kernel patches of course. Distro kernels are rarely bleeding edge, they simply patch them for the security issues found. Although unlikely, if e.g. your patch has to change totally in the next kernel version you will feel the problem at it's core. Actually RBSAC protects from vmsplice ;)
Proving new kernel support however for a project of this size is sometimes difficult for the few RSBAC developper. E.g. 2.6.24 (which has the vmsplice fix, if you aren’t willing to patch 2.6.23 yourself) introduced a whole new PID architecture using structs. This means changing the core way RSBAC identify processes.
It took 2 weeks to code.
IMHO this is rather fast, even if not acceptable for security. But in that case, you *should* use your distro kernels or kernel patches of course. Distro kernels are rarely bleeding edge, they simply patch them for the security issues found.

Although unlikely, if e.g. your patch has to change totally in the next kernel version you will feel the problem at it’s core.

]]> By: Daniel Mettler http://www.iezzi.ch/archives/120/comment-page-1#comment-15714 Daniel Mettler Wed, 27 Feb 2008 16:57:41 +0000 http://www.iezzi.ch/archives/120#comment-15714 Interesting hint, though I have no need for such a feature currently (maybe later). I use a Gentoo Xen kernel I customized - works pretty well. Cheers Interesting hint, though I have no need for such a feature currently (maybe later). I use a Gentoo Xen kernel I customized – works pretty well. Cheers

]]>