Changelog

Sumary of changes from grsec 201202232125 to 201204010910
==============================================
https://grsecurity.net/changelog-stable.txt
x86, tls: Off by one limit check
vfs: get rid of batshit-insane pointless dentry hash calculations
x86-32: Fix endless loop when processing signals for kernel tasks
Merge branch 'pax-stable' into grsec-stable
Update to pax-linux-2.6.32.59-test155.patch
Backport L2TP fix for cilly
Use umode_t instead of mode_t
Use umode_t instead of mode_t for umask type
Resolve some very tricky hash table manipulations that resulted in an infinite loop in certain uses of domains with particular hash collisions
zero kernel_role
Temporary workaround for (most) size_overflow plugin false-positives
Increase randomization for brk-managed heap to 21 bits
Require default and kernel role
Allow policies without special roles
don't call free_variables in error path of copy_user_acl, we'll call it later (triggered by a policy without special roles)
nilfs2: fix NULL pointer dereference in nilfs_load_super_block()
x86: Derandom delay_tsc for 64 bit
Introduce size_overflow plugin from Emese Revfy
Add backported be2net driver for BladeEngine 10GbE card used in HP blade servers
Backport LSI 3ware SAS/SATA-RAID driver (This is from us!)
Backport paravirt SCSI driver for VMware's virtual HBA (This is from us!)
add colorize plugin
Fix ARM compilation while waiting for new PaX patch
Use &per_cpu instead of per_cpu_ptr
Allow 4096 CPUs
Use a per-cpu 48-bit counter instead of a global atomic64
Further reduce argv/env allowance for suid/sgid apps to 512KB
Clamp suid/sgid stack resource limit to 8MB (preventing compat mmap layout fallback/too large stack gap)
Clear 3GB personality on suid/sgid binaries
Restore 4 bits entropy in the lowest bits of arg/env strings (now 28 bits on x86, 39 bits on x64)
mm: fix find_vma_prev

Summary of changes from 2.6.32.58 to 2.6.32.59
==============================================
https://www.kernel.org/pub/linux/kernel ... -2.6.32.59
IA64: Remove COMPAT_IA32 support
KEYS: Enable the compat keyctl wrapper on s390x
blkfront: Fix backtrace in del_gendisk
regset: Prevent null pointer reference on readonly regsets
regset: Return -EFAULT, not -EIO, on host-side memory fault
compat: Re-add missing asm/compat.h include to fix compile breakage on s390
cifs: fix dentry refcount leak when opening a FIFO on lookup
writeback: fixups for !dirty_writeback_centisecs
watchdog: hpwdt: clean up set_memory_x call for 32 bit
net/usbnet: avoid recursive locking in usbnet_stop()
bsg: fix sysfs link remove warning
eCryptfs: Handle failed metadata read in lookup



Summary of changes from 2.6.32.58 to 2.6.32.59
==============================================
https://www.kernel.org/pub/linux/kernel ... -2.6.32.58
PM / Sleep: Fix read_unlock_usermodehelper() call.
PM / Sleep: Fix freezer failures due to racy usermodehelper_is_disabled()
firmware loader: allow builtin firmware load even if usermodehelper is disabled
PM: Print a warning if firmware is requested when tasks are frozen
compat: fix compile breakage on s390
Fix autofs compile without CONFIG_COMPAT
autofs: work around unhappy compat problem on x86-64
cdrom: use copy_to_user() without the underscores
eCryptfs: Clear i_nlink in rmdir
eCryptfs: Remove extra d_delete in ecryptfs_rmdir
eCryptfs: Use notify_change for truncating lower inodes
hdpvr: fix race conditon during start of streaming
xhci: Fix encoding for HS bulk/control NAK rate.
USB: Fix handoff when BIOS disables host PCI device.
USB: Added Kamstrup VID/PIDs to cp210x serial driver.
ARM: 7325/1: fix v7 boot with lockdep enabled
ARM: 7321/1: cache-v7: Disable preemption when reading CCSIDR
SCSI: 3w-9xxx fix bug in sgl loading
ecryptfs: read on a directory should return EISDIR if not supported
drm/radeon/kms: fix MSI re-arm on rv370+
crypto: sha512 - use standard ror64()
Add mount option to check uid of device being mounted = expect uid, CVE-2011-1833
Ban ecryptfs over ecryptfs
eCryptfs: Remove mmap from directory operations
crypto: sha512 - Avoid stack bloat on i386
crypto: sha512 - Use binary and instead of modulus
hwmon: (f75375s) Fix automatic pwm mode setting for F75373 & F75375
printk_ratelimited(): fix uninitialized spinlock
kernel.h: fix wrong usage of __ratelimit()
mac80211: timeout a single frame in the rx reorder buffer
relay: prevent integer overflow in relay_open()
lib: proportion: lower PROP_MAX_SHIFT to 32 on 64-bit kernel
hwmon: (f75375s) Fix bit shifting in f75375_write16
drm/i915: no lvds quirk for AOpen MP45

To Upgrade:
asl -u

or

x86_64:
yum upgrade kernel

i386:
yum upgrade kernel-PAE

Forgive my ignorance here, but after a Kernel update like this does the server need to be restarted before these changes take effect?

Correct. You will want to reboot.

Rebootless (and potentially automatically installed) asl kernel updates would be an outstanding feature. Is there any possibility of a link-up with oracle/k-splice? Or do they pick and choose?

I accompany faris' question. ksplice with ASL, thats what I asked myself too.
Would be a great feature.

We had talked to them a while back before oracle bought them, but I dont think you can have a ksplice vector and not have a rootkit vector at the same time. Not without doing some other clever things. Besides, I dont think oracle is sharing ksplice with anyone these days.

We're managing servers running ASL for multiple clients in multiple time zones and we have to schedule all these reboots with every individual client. If there would be a (secure) way to do rebootless ASL kernel updates that would be really great.

I guess it is a matter of risk assessement.

For us, a few years ago we found we were having to email VPS and hosting customers to tell them there would be a reboot+5 to 10 minute outage every few weeks or every month at one stage. And someone (ME!) had to be up at 1am to do it. And occasionally (once every 6 months to a year) the fsck would run automatically, and on a 500Gb drive this takes ages.

It got so bad that we didn't do kernel updates quickly - we'd leave it for at leats a month between updates.

Then we discovered that k-splice supported virtuozzo, gave it a try and we were amazed at how painless and wonderful the whole thing was. I've not had to be up at 1am for a reboot to load a new kernel for over a year now, and vps customers in particular are happy. More importantly, we can implement kernel updates within 24 hours of them coming out.

So while I'm sure k-splice adds a potential vector for rooktits to exploit, at the same time it reduces any window of opportunity for a remotely-exploitable attack working.

Advantage of the ASL kernel works there too, kernel exploits (and many classes of userspace!) dont work on it at all. When we're making updates, its almost always to support new hardware or to add new features. K-splice does not allow you to do those either.