nemunaire/nemunai.re
1
0
Fork 0
Code Issues Pull requests 1 Releases Activity

Improve architecture with page bundles

Browse source
This commit is contained in:
nemunaire 2023-05-23 11:23:47 +02:00
commit 7a638e7fbb
26 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3896
content/en/post/kernel_configs/geb.config Normal file
View file

File diff suppressed because it is too large Load diff

4100
content/en/post/kernel_configs/hathor.config Normal file
View file

File diff suppressed because it is too large Load diff

0
content/en/post/kernel_configs.md → content/en/post/kernel_configs/index.md
View file

2696
content/en/post/kernel_configs/nout.config Normal file
View file

File diff suppressed because it is too large Load diff

3256
content/en/post/kernel_configs/ouaset.config Normal file
View file

File diff suppressed because it is too large Load diff

5002
content/en/post/kernel_configs/oupaout.config Normal file
View file

File diff suppressed because it is too large Load diff

3404
content/en/post/kernel_configs/rhakotis.config Normal file
View file

File diff suppressed because it is too large Load diff

3524
content/en/post/kernel_configs/satis.config Normal file
View file

File diff suppressed because it is too large Load diff

0
content/en/post/rtl8153b-for-4.9.md → content/en/post/rtl8153b-for-4.9/index.md
View file

1179
content/en/post/rtl8153b-for-4.9/r8152-for-4.9.patch Normal file
View file

File diff suppressed because it is too large Load diff

1
content/en/post/ssh_keys/aton_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSbCCfFO1+yxogpg1DfCPSQU48oWqYM6/05TYzNhPmc nemunaire@aton

1
content/en/post/ssh_keys/aton_rsa.pub Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwwJxAJ99OK0W6CPV/0aDTFlts9xzEKKc+V8r2f0zaXpxuKSGgeWVOrSFU0nTEOZGlGh5kBIBHlizaeh9Bb5Io0V8Hafljwx/yJ+51czlnyoRZ49VDnufEd+qVW8Up8Kelsro+y+hu9BAcUoPhjlj+QyeUkEO1ytJFFi7LLelXGGHNiM3cYR9ewncy4oDIQNOrSgTrjdHjP2+0Zh0QV92SfX4KAUFfgW2BMhUi5/gk8aLMJQnRNaO2dVtWQoxLf03LEW87oRcnvepZR/IfUkAdjqp2dSQiSKjNUXdKkNSoZ+ErVSm3vTSbx9ju7Rk7i53so4uYIK0gGiGj1XJX8uIH/CllteLu84+ztCX+s4ouUWz0PuZYkm9B9JJ0JpqEdYS5tf7jWagMAvaluCWbHxpCNylzOCfne3Xa9X7vv4Jo0DdDMwQpyKXqa2AxBMPLVJ+hBKSTjkQUZUezfVgNjauIBOwsqwPLifxpMLOXFp2dTD98ZlfruTCOW11Wn2XeQmrVdI12ZPIDFv8ayAxQyAxo0zMQEKU4z0xuTtC+DG9KNKsxjROSWnxT0poWrL9ZZrWduLfAgTerX2HkUZ+ihQMQbAMMVSdg2JdPafW2ZX+ikjD8J/DffOYE0t4UlqucV7Vl/jwKZpcP65nKfFMK1q5oH8QvI7azt+yUHOBIcJCBSQ== nemunaire@alarm

0
content/en/post/ssh_keys.md → content/en/post/ssh_keys/index.md
View file

1
content/en/post/ssh_keys/khonsou_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDO/3qKhSUbGYZBVraFo68oScJahRDNQfG+uwDQlLv7g nemunaire@khonsou

1
content/en/post/ssh_keys/ouaset.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBpFOv1s7mVb6XWPOLd1U+jzt5WA04CnuJVmY5TvaMhw nemunaire@ouaset

1
content/en/post/ssh_keys/oupaout.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN/Aa53VeE2XWjo/ItqtuLZ9Jd9oHfhzSjPl6KLEqkBS nemunaire@oupaout

1
content/en/post/ssh_keys/rescue.pub Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA5oAoOMAr8RrsBmOE1kyiD6C5+qbdK0NgSS3ZlNOn4dpkD1w5hmrGwGT4O2P8vCC9o95sLRzvrxkHbs+YZhsz04uxmG4zEgS+x1BZuaQBt1V1hBWk8ldqPfZfAEauPQeQZMdKJfbJKYzecRLWIh2jK1sMx0Vmd3CfU/FwEHdlJh3oTKWFsAlukSYnql2dXG3VMzRpaRyh4uu5wFA+Ya6CE5OjcM4o9/JSfGxErK4fvnSPpbplraKqpKvEqX4XC70u5JCLlWSfJ2Es0nIeQ+0QhYxQt4MsaUCBkFoU10wyaDstWfzE4TiMBmrI+JnrbJiODUxsdoKQGS1ZS2EIP7tUjl9N/Z/x6IAPS4TxMTu9dY+k2hRVvpM1h7vwsTPxINlaoPHeni7TF3M6ksR0chQXtbsKBuCAxOnKKoB13WhQcR60G0hqK/5JSTqYiAG2hwlEJTqqcWuYIlgOpWhyQ8cfbL5Xb5SaZmADp6GOoxJxGbjOrnGMLEPcUPkok6hqt1SgegCTJa1nYmpdzutPCJYy3HCd93L8Uwr/+FBJtAY5Imu6gIgmUW+scOzjZbXRYocjClemYPz/mb7ZSuMT3OfrsqaqZ3IJnXi70l7jH6I3DXY8BOgwQM2zkfPJKWHKPrQfTdhfpBq2Nf/kvQERTfqOWGm7YMa5+dP9NUBGbuCCo8E= nemunaire@ssh

1
content/en/post/ssh_keys/seth_ed25519.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9udkt8V/GFYwa4TMz7XHdedBSTScXxTAdJDdriu/AC nemunaire@seth

1
content/en/post/ssh_keys/seth_rsa.pub Normal file
View file

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDlU/aEbNdDHR2bAmzDY2hIowGfa9oNGyL69tzEK2cpOa+u7PwNzCzWPLytwsO9frOylNtRDiTckbVNdPxMZDkZieeZ5PqWEvWe7hbsh+xds1An2t3tEX6x3QWrxZZo2SNTgck5IqPcufBG+cFxJZlK8pZGkDwGw+x6mHJdLZL2bgMwwvutw1BSF/atF6GLZpztX/y1FM6JQpMCAsrzESoUpDD/Q7BEGb7wCYt+eq/51jUS60g0fC7ob2Xl/nhmnWUkg3U+x/DyY0foqiOMGhSaXdkerfyZMpLCURvH6sOT8EzNzzLRj66Ht8043Vqysoq+pFtj8zyTNVi76QWMkNK7avKXl+rK6dW9zAQidmZcnwPl0qAlkWQjhOgA7xe2TdTM5Yl6HXpmT6T6PHCsIggyCxgCg2ao+ptqPJ4UwvGP2bAz8uLdQp4t+q1hp825o7EtvtnJpJMTksNwOe96iCFjm90O+pmOhLTRVDtgdAknmtIovHnOrZX2zbo1XZHATRx6QOrGwIHU8drSMy878Fd9lb3HVx+595rQ7gh+2Qu87vqk1kZPTFSbn7nMB/l2ROVp4zagXzN8T7Ek3CRP/mIrzyU/3WhOGhbB+bkvWrWRRBnejxQLZkMPl9vAZ5VSNZ2K1OTHasQBy9PaMW5ucd83Jv+jl+xPoJbXsvpzbu6EHw== nemunaire@seth

100
content/en/post/user-ns-for-grsecurity/grsec-enable-user-ns.patch Normal file
View file

@ -0,0 +1,100 @@
--- /usr/src/linux-4.9.54-minipli/kernel/user_namespace.c 2017-10-14 12:27:08.718490316 +0200
+++ /usr/src/linux/kernel/user_namespace.c 2017-11-01 18:27:35.317843207 +0100
@@ -23,6 +23,9 @@
#include <linux/projid.h>
#include <linux/fs_struct.h>
+/* sysctl */
+int unprivileged_userns_clone;
+
static struct kmem_cache *user_ns_cachep __read_mostly;
static DEFINE_MUTEX(userns_state_mutex);
@@ -76,21 +79,6 @@
struct ucounts *ucounts;
int ret, i;
-#ifdef CONFIG_GRKERNSEC
- /*
- * This doesn't really inspire confidence:
- * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
- * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
- * Increases kernel attack surface in areas developers
- * previously cared little about ("low importance due
- * to requiring "root" capability")
- * To be removed when this code receives *proper* review
- */
- if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
- !capable(CAP_SETGID))
- return -EPERM;
-#endif
-
ret = -ENOSPC;
if (parent_ns->level > 32)
goto fail;
--- /usr/src/linux-4.9.54-minipli/kernel/fork.c 2017-10-14 12:27:08.678490299 +0200
+++ /usr/src/linux/kernel/fork.c 2017-11-01 18:27:35.292843341 +0100
@@ -88,6 +88,11 @@
#define CREATE_TRACE_POINTS
#include <trace/events/task.h>
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#else
+#define unprivileged_userns_clone 0
+#endif
/*
* Minimum number of threads to boot the kernel
@@ -1602,6 +1607,10 @@
if ((clone_flags & (CLONE_NEWUSER|CLONE_FS)) == (CLONE_NEWUSER|CLONE_FS))
return ERR_PTR(-EINVAL);
+ if ((clone_flags & CLONE_NEWUSER) && !unprivileged_userns_clone)
+ if (!capable(CAP_SYS_ADMIN))
+ return ERR_PTR(-EPERM);
+
/*
* Thread groups must share signals as well, and detached threads
* can only be started up within the thread group.
@@ -2360,6 +2369,12 @@
if (unshare_flags & CLONE_NEWNS)
unshare_flags |= CLONE_FS;
+ if ((unshare_flags & CLONE_NEWUSER) && !unprivileged_userns_clone) {
+ err = -EPERM;
+ if (!capable(CAP_SYS_ADMIN))
+ goto bad_unshare_out;
+ }
+
err = check_unshare_flags(unshare_flags);
if (err)
goto bad_unshare_out;
--- /usr/src/linux-4.9.54-minipli/kernel/sysctl.c 2017-10-14 12:27:08.704490310 +0200
+++ /usr/src/linux/kernel/sysctl.c 2017-11-01 18:27:35.306843266 +0100
@@ -103,6 +103,9 @@
extern char core_pattern[];
extern unsigned int core_pipe_limit;
#endif
+#ifdef CONFIG_USER_NS
+extern int unprivileged_userns_clone;
+#endif
extern int pid_max;
extern int pid_max_min, pid_max_max;
extern int percpu_pagelist_fraction;
@@ -527,6 +530,15 @@
.mode = 0644,
.proc_handler = proc_dointvec,
},
+#endif
+#ifdef CONFIG_USER_NS
+ {
+ .procname = "unprivileged_userns_clone",
+ .data = &unprivileged_userns_clone,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ },
#endif
#ifdef CONFIG_PROC_SYSCTL
{

0
content/en/post/user-ns-for-grsecurity.md → content/en/post/user-ns-for-grsecurity/index.md
View file

BIN
content/fr/post/post-mortem-cryptominer-on-CI-infrastructure/abuse.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 107 KiB

BIN
content/fr/post/post-mortem-cryptominer-on-CI-infrastructure/base64.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 192 KiB

BIN
content/fr/post/post-mortem-cryptominer-on-CI-infrastructure/blocked-users.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 35 KiB

0
content/fr/post/post-mortem-cryptominer-on-CI-infrastructure.md → content/fr/post/post-mortem-cryptominer-on-CI-infrastructure/index.md
View file

BIN
content/fr/post/post-mortem-cryptominer-on-CI-infrastructure/repository.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 161 KiB