You are not logged in.

#1 2013-04-10 03:06:08

stealthy
Member
Registered: 2011-05-02
Posts: 67

Grsecurity/PaX patches in default kernel

Is it possible to get the Grsecurity/PaX patches in the default Arch Linux kernel? (what would I need to do?). I've been playing with it for a little while now and its not really that difficult to compile. Maybe we could keep the RBAC disabled by default, and leave everything else enabled. Phects has a AUR package (linux-grsec and linux-grsec-lts) if anybody wants to try it out. I've personally been doing it by hand so I know whats happening (downloading the kernel with abs and adding the patches). It seems like a reasonable thing to do for security.


Grsecurity/PaX
http://grsecurity.net/

AUR
https://aur.archlinux.org/packages/linux-grsec/


clipodder-git A small simple cron-friendly podcast downloader, with support for arbitrary user defined media types (pdf, html, etc...)

Offline

#2 2013-04-11 09:03:03

stealthy
Member
Registered: 2011-05-02
Posts: 67

Re: Grsecurity/PaX patches in default kernel

Ok how about this:

The current linux kernel is obtained with abs and patched and made into a package with the RBAC disabled by default. This way you can install linux-grsec and linux-grsec-lts from the official repo instead of using the AUR.


clipodder-git A small simple cron-friendly podcast downloader, with support for arbitrary user defined media types (pdf, html, etc...)

Offline

#3 2013-04-11 11:46:01

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 4,242

Re: Grsecurity/PaX patches in default kernel

Many devs don't follow the forum, i suggest you post this on the arch-general mailing list.

One of the questions you're likely to get :

grsecurity/pax appears to have been around for along time, (since linux 2.2 kernel i think) , if it's so great why are those patches not included in mainline kernel tree ?

Last edited by Lone_Wolf (2013-04-11 11:46:20)


Booting with apg Openrc, NOT systemd.
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#4 2013-04-11 13:14:29

stealthy
Member
Registered: 2011-05-02
Posts: 67

Re: Grsecurity/PaX patches in default kernel

I've been following arch-dev, I'll sub to arch-general too. I was on the IRC and I asked that question, and the answer was "because spender is not a PR guy". Maybe its because SELinux has had better backing. Gentoo has been using it: http://www.gentoo.org/proj/en/hardened/grsecurity.xml, (I'm not sure for how long though).


clipodder-git A small simple cron-friendly podcast downloader, with support for arbitrary user defined media types (pdf, html, etc...)

Offline

#5 2013-04-11 15:25:55

brebs
Member
Registered: 2007-04-03
Posts: 3,427

Re: Grsecurity/PaX patches in default kernel

I expect that Arch would require that the patchset be available as soon as the kernel is released, every time. Otherwise, other users would moan about the delay.

Can you guarantee the availability? I expect not, so AUR is the place for it.

Offline

#6 2013-04-11 16:09:50

Stebalien
Member
Registered: 2010-04-27
Posts: 1,218
Website

Re: Grsecurity/PaX patches in default kernel

You might be able to convince a TU or a dev to maintain a linux-grsec kernel however,  Arch generally avoids patching software. I highly doubt you will be able to convince the devs to include it by default. Also, the "general" GRSecurity config wouldn't include many of the cool features it provides to maintain compatibility and performance.


Steven [ web : git ]
GPG:  327B 20CE 21EA 68CF A7748675 7C92 3221 5899 410C
Do not email: honeypot@stebalien.com

Offline

#7 2013-04-18 02:22:08

stealthy
Member
Registered: 2011-05-02
Posts: 67

Re: Grsecurity/PaX patches in default kernel

brebs wrote:

I expect that Arch would require that the patchset be available as soon as the kernel is released, every time. Otherwise, other users would moan about the delay.

Can you guarantee the availability? I expect not, so AUR is the place for it.

As for now, the patches have been coming out as soon as a new kernel is released (listed here: http://grsecurity.net/test.php). I don't know if it could be guaranteed though. And the Grsecurity config can be changed with sysctl and iirc you can leave everything disabled by default.


clipodder-git A small simple cron-friendly podcast downloader, with support for arbitrary user defined media types (pdf, html, etc...)

Offline

#8 2013-12-16 23:49:11

hunterthomson
Member
Registered: 2008-06-22
Posts: 794
Website

Re: Grsecurity/PaX patches in default kernel

tongue Old thread but I can not let these questions go unanswered.

Lone_Wolf wrote:

Many devs don't follow the forum, i suggest you post this on the arch-general mailing list.

One of the questions you're likely to get :

grsecurity/pax appears to have been around for along time, (since linux 2.2 kernel i think) , if it's so great why are those patches not included in mainline kernel tree ?

Three reasons:

1)  Kernel vulnerabilities can not wait 10 weeks.

2) 80% of the reason grsec & PaX exist is because the Linux core dev's are anti-security. Every little security feature in main like took years of convincing just to get it's worthless chopped down version committed. Forget security patches.

If it can't be done in LSM, it can't be done in Linux'.'

3) "Kernel space will never brake User space." Well, sounds like a darn good motto..... Hum, until you want to put that Kernel on the Internet. Maybe some exceptions can be made? NO!

brebs wrote:

I expect that Arch would require that the patchset be available as soon as the kernel is released, every time. Otherwise, other users would moan about the delay.

Can you guarantee the availability? I expect not, so AUR is the place for it.

Agreed.
Luckily, it would be the other way around. It is very, very common to have 3-10 grsecurity patches in the lifespan of one *.*.X release .
There has already been 3 patches for 3.12.5

Stebalien wrote:

You might be able to convince a TU or a dev to maintain a linux-grsec kernel however,  Arch generally avoids patching software. I highly doubt you will be able to convince the devs to include it by default. Also, the "general" GRSecurity config wouldn't include many of the cool features it provides to maintain compatibility and performance.

Arch is Vanilla.
I don't have any hope, or really care they they do. However, just to be clear. No, nearly everything could be complied in by default. Simply have them disabled by defualt. Then the user can enable them with sysctl. Only /sys restrictions would have to be disabled, but /proc restrictions can be un/set with sysctl.

I'm currently running on a 100% all features On grsecurity/PaX kernel + Xorg - XFCE - Bla - 'Laptop'. No problems at all. Zero. Even Privileged IO is disabled ( KVM finally solved that problem ).

What would be nice is if Arch would run this before building any more packages.

sed -i 's/-fstack-protector/-fstack-protector-strong/' {./Makefile,/etc/makepkg.conf}

--
I just ordered 6 core cpu for my home some (soon build server tongue) This way I'll be able to run Hardened Gentoo without frying my laptop compiling software all the time... However, I'm 'Really' wanting to just go it alone and grab Gentoo's Harddened Tool-chain, then recompile Arch Linux  smile Boy, can you image how fracking Amazing Arch would be if it was compiled with Position Independents, and full stack protection.


OpenBSD-current Thinkpad X230, i7-3520M, 16GB CL9 Kingston, Samsung 830 256GB
Contributor: linux-grsec

Offline

#9 2013-12-17 22:18:28

Gentoo64
Member
Registered: 2012-02-14
Posts: 4
Website

Re: Grsecurity/PaX patches in default kernel

What's the point of having this in a default kernel (disabled by default or not) when it can be downloaded elsewhere.

I use gentoo with the full hardening, toolchain, all options on etc with a nvidia binary driver, you do have to mess with some stuff, like compiling cairo with certain gpu features disabled in order to use nvidia accel, disabling mrpotect on things that use opengl etc. Some things with systemd dont work with grsec proc restrictions (although works fine for my needs) I also use i3 wm, I can imagine DE's like gnome would require quite a bit of messing around to get working smoothly.

What I'm saying is if you want this hardening you might as well take a few seconds and download a kernel that isn't default, as grsec patches don't come out straight away especially on major kernel releases it would mess up the timing of releases, and also you would get a ton of people who don't know what they're doing playing with these "new" features wondering why theyre system don't work.

Last edited by Gentoo64 (2013-12-17 22:19:04)

Offline

Board footer

Powered by FluxBB