<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: CIPE statically compiled into kernel?
From: ewheeler,AT,kaico,DOT,com
Date: Wed, 24 Apr 2002 19:13:20 +0200
In-reply-to: <3CC554AB.A804055A@tac.ch>

I know that the old 2.2.x crypto packages on kerneli.org (Speaking of,
what ever happened to kerneli?) contained CIPE support, and you could say
"Y" and it would be static.  At the time, however, I had no need for VPN.

--Eric

On Tue, 23 Apr 2002, Roberto Nibali wrote:

> Hi Roland,
> 
> > is it possible to compile CIPE statically into the kernel? how? :-)
> 
> Well technically you could make a patch to the kernel to link the
> cipe code statically. But what do you gain? And it generally is a PITA
> to do this since you need to patch subsystems of the kernel to export
> symbols for the specific code and all the other fun you will encounter 
> when doing that.
> 
> I could, however, also be mistaken and Olaf has already provided a
> patch for linking CIPE statically into the kernel. I haven't checked
> the newest code in a while.
>  
> > (We don't support LKMs on our production servers to prevent abuse...)
> 
> :) Yet again someone that thinks by disabling lkm he'd be safe. May I
> suggest you read [1]? You gain _no_ security by disabling lkm! You need
> either capabilities or type enforcement on loading modules. As long as
> you have a mean to allow a potential fellow cracker to get r00t on your
> box, you're unsafe. A very promising project for linux implementing a
> clean API for such >C2 systems is [2]. Together with [3] you can even
> start using it for productive systems.
> 
> I apologize to the other readers of the list for this slightely OT
> glitch of mine. 
> 
> [1] http://www.phrack.com/show.php?p=58&a=7
> [2] http://lsm.immunix.org/
> [3] http://www.nsa.gov/selinux/
> 
> Best regards,
> Roberto Nibali, ratz
> 
> 

-- 

Eric Wheeler
Network Administrator
KAICO
20417 SW 70th Ave.
Tualatin, OR 97062
www.kaico.com
Voice: 503.692.5268





<< | Thread Index | >> ]    [ << | Date Index | >> ]