Arch Linux

osteichthyes

Member

Registered: 2016-04-20

Posts: 38

What to do about Grsecurity

Hello all,

As you may have seen, Grsecurity killed support for the test patchset yesterday. I am writing to see what interest or plans exist for keeping the grsec/pax patchsets alive. They seem like pretty crucial security patches, and the final releases are at least on LTS kernels. The post made it sound like the Grsecurity folks were open to an independent fork being made, potentially with work from Gentoo Hardened. I reached out to Grsecurity to ask about a personal license. If they will grant access to the test (now beta) branch for individual users at some reasonable price, perhaps the package could live on in the AUR, with folks buying their own licenses. It seems their issue is not individual users, but corporate use without citation -- they may be open to us and Gentoo Hardened continuing to use the patchset gratis, as long as we make individual accounts, and agree not to use the patches for corporate purposes.

I guess I'm posting to see if anyone has any ties to the folks at Gentoo Hardened and/or with Grsecurity. My hope is that personal users at Gentoo and Arch could work together to either fork the patchset, or to gain some sort of individual use licenses.

I'm not really sure who to contact or work with here, I know Stinger maintains the package in the repos -- but this will likely need to be some sort of community effort.

Thanks!

~~~~

Last edited by osteichthyes (2017-04-27 23:55:16)

jasonwryan

Anarchist

From: .nz

Registered: 2009-05-09

Posts: 30,424

Website

Re: What to do about Grsecurity

There is a thread on the ML that covers this pretty comprehensively.
https://lists.archlinux.org/pipermail/a … 43604.html

---

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

osteichthyes

Member

Registered: 2016-04-20

Posts: 38

Re: What to do about Grsecurity

I saw a few comments from the thread elsewhere, but had not read the entire thread. Thanks.

For lack of greater insight -- this is a bummer. The kernel security team seemed reticent to accept Spender's submitted patches, and I recall his regular frustration with their patching and reporting.
I reached out to Grsecurity to inquire about individual licensing. I can envision a scenario where individual users purchase access under a somewhat restrictive license (single machine, etc), and it could live on in the AUR.

Grsecurity is a cool project, and while I lack the technical abilities to meaningfully contribute to the patches, I'd happily take on some role in the building/packaging/maintaining side of things. I noticed the ML mentioned a lack of time to maintain the package. I know building/packaging is only a very small portion of that, but I would guess that there are other volunteers willing to help out if we can.

gregfrankenstein

Member

Registered: 2015-09-12

Posts: 26

Re: What to do about Grsecurity

A couple of developments today:

One is that the people at Alpine Linux put out a patch for 4.9.25 after renaming their linux-grsec package to linux-hardened.  Given that I cloned the source of linux-grsec recently with asp, I still had the PKGBUILD and associated files for the Arch version lying around, so I edited it to build with Alpine's patch and my kernel is working like always.  I don't know where they got it from or whether they'll have patches going forward, but it's something.

The other is that a linux-hardened package has appeared in the Arch repository.  In its current state, it looks like it's basically a vanilla kernel with a few config tweaks (not all the config tweaks that were present in linux-grsec either), but it's maintained by thestinger and it's only been up a few hours.

In short, I'm optimistic.

osteichthyes

Member

Registered: 2016-04-20

Posts: 38

Re: What to do about Grsecurity

It appears to basically follow this: https://kernsec.org/wiki/index.php/Kern … on_Project

If it is at all helpful, I have the pkgbuild and the patches, if that helps.

Last edited by osteichthyes (2017-05-01 01:53:45)

osteichthyes

Member

Registered: 2016-04-20

Posts: 38

Re: What to do about Grsecurity

This may be the most promising development thus far:

https://wiki.gentoo.org/wiki/Hardened/H … el_Project