Grsecurity patches going private

Discussion in 'all things UNIX' started by daario, Mar 31, 2017.

  1. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
    Grsecurity testing patches are going private as well. Patchsets for kernel 4.9 are the last ones.

    This means that Arch Linux and a few other distributions, which make kernel with grsecurity easy to install and use, are losing a quite important security feature as the Linux kernel itself is not particularly hardened.

    I didn't find anything on it here and figured some people may not know it yet and would want to know.

    As to alternatives, I have no idea...
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,772
    Source? I couldn't find an announcement.
     
  3. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
    Sorry, I didn't look for a one, I kinda doubt that there's any. Source is the maintainer of the linux-grsec package for Arch.
     
  4. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
    But do you have any links we can check? I doubt the maintainer would say something like that if he/she themselves didn't have a very good and solid source to back such claim.
     
  5. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
    It's not announced, he was told and I was told by him. So sorry, no links at all.

    I'm very unhappy to hear this as well. They didn't get much back from the community for sure, but I did not expect that they'd actually give up on the community. Just thought it's a good information to share...
     
  6. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Look at their website. I cant find any place to download the code for the development release. **EDIT** WRONG on my part.

    I could be wrong about this but it seems their forums are different now too. I cant verify the forums or grsecurity.net because neither are on archive.org. **EDIT** Not sure on this, but given my WRONG conclusion above, lets reserve judgement for now.

    **EDIT** I have heard the OPs rumor before (in IRC) too but dismissed it. It wouldnt surprise me now if its in fact true. It would appear Spender lost the faith; use the OSS community to build (via bug reports/community testing/forums) and entrench your product (offer it free with code open, get distros using it, get mentions of it everywhere), then pull the rug out from under the community and make it only available for a price. Either that or he got tired of doing something for very little compensation?

    If its true, I cant say it surprises me; money is a powerful motivator and hes prolly trying to cash in on a gold mine.

    **LATE EDIT** Man, think of the effects that this could have in the Linux sphere. Subgraph? Dead. Alpine? Dead. Gentoo Hardened? No more grsecurity patching. Arch? Goodbye linux-grsec. Debian? So much for Sid having a grsec kernel. Unless these projects are prepared to fork- and that would be a ton of work as new kernel versions come in- they're doomed. I'm not an expert here so I dont want to create hysteria, but this could really suck...
     
    Last edited: Mar 31, 2017
  7. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,772
    No, it's still available on their download page.

    Yes, but let's wait if @daario 's info really comes true.
     
  8. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    I missed the download link at the bottom of their support page. You are correct; apologies.
     
  9. accessgranted

    accessgranted Registered Member

    Joined:
    Mar 10, 2010
    Posts:
    205
  10. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,700
    Well, security is meaningless if it affects usability. Kernel hardening for home use, really unnecessary.
    So this is more of a nice-to-enjoy for people who like security rather than anything important.
    Mrk
     
  12. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
    Really a subjective matter.

    If you don't mind using a Kernel that is vulnerable in many fronts, by all means use vanilla Linux. However, saying that "Kernel Hardening for home users is really unnecessary" is just plain ridiculous.

    I see, security is not an important "thing" for you, Mr "Linux Expert".
     
  13. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
    I never understood this. Security is about a compromise, and always has been. You have to give up something to achieve higher security.

    This applies in real life as well for such is the way our society works. We all give up on a few of our rights in order to live in a more secure society.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,700
    @amarildojr, saying the kernel is vulnerable on some many fronts is - subjective and ridiculous. What vulnerabilites? If you ignore the hype, just use your system and relax. Now and then a local vulnerability is discovered. Okay, so? Don't let your family members exploit it and get to the root shell. And security is important, but it's not the holy grail, and certainly not the first thing on my list. Most of it is overblown Internet drama.

    @daario, in some aspects of life yes. Even then though, it's unnecessary drama to keep people compliant. Computers? Meh.

    Mrk
     
  15. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,354
    Very few bugs get patched, because flaws seldom turn out to be mission-critical.

    And for most users, their systems run just fine as is. Given human nature, bugs are expected.

    Life isn't perfect.
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    ChromeOS uses it also but Google can probably move on easier than most. Alpine already forked awhile ago.

    https://forums.grsecurity.net/viewtopic.php?f=3&t=4254

     
  17. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Thats good news in regards to Alpine. Alpine would be a great base for Mirimir's multiple VM approach to security- its pretty light, is fairly non-standard, has a port of grsecurity features, has solid package hardening, has gradm in its repos (to make an RBAC policy), has libvirt and virt-manager in its repos, has firejail in its repos, and for now seems to be an active project with decent upgrade times. No apparmor though, so you'd prolly want to run its fixed release and just upgrade between stable releases (RBAC is a massive pain on rolling release).

    In regards to developments of the thread title, I have noticed some interesting facts based on past experience and current information that suggest the OPs information might be valid.

    Generally in my experience with Arch, linux-grsec tracked with the main Arch kernel "linux." Sometimes linux-grsec would get updated even before "linux," and sometimes it would be a day or two after. GRsecurity would release a patch generally the day-of or the day-after for the latest stable kernel (as listed on kernel.org), and the linux-grsec maintainer would generally patch shortly after.

    Now, linux-grsec is currently tracking roughly the same version as Arch's "linux-lts" kernel which is now in the 4.9.x series. The linux-grsec maintainer, Daniel, is prolly busy with Copperhead which he devs as currently linux-grsec is 4.9.20, but knowing his maintainer habits he will probably update very soon.

    GRsecurity's test branch seems to be no longer issuing patches beyond the 4.9.x series just as the OP suggests; whereas their test patches generally tracked the stable kernel, it now seems to track the "longterm" 4.9.x series. Daniel has responded by pinning the kernel version he maintains with the version supported by the latest test patch (which so far appears to be 4.9.x only).

    Where I'm going with this: kernel.org lists the 4.9.x series as having long term support (backported stability and security patches) until January of 2019, roughly 1 year and 9 months from now. It remains to be seen if Daniel will continue building linux-grsec on the 4.9.x series until the end of its long term support series or not. It also remains to be seen if Debian- which had just recently packaged a grsecurity kernel for Sid and had backported a grsecurity patched kernel for Jessie- will offer a grsecurity kernel for Stretch... which it just so happens will be using the 4.9.x series as its kernel.

    Us grsecurity kernel users have some time, but in the end a move to something like Alpine (with multiple VMs), Qubes, or possibly Subgraph (assuming that they like Alpine choose to fork the grsecurity code) might be necessary. Of course, one could consider paying GRsecurity for their patch, but then one would need to recompile their distros kernels as they are released, have a .config with the desired GRsecurity settings, might run into issues with their distro version vs. what he devs the patches for, etc. Not a terrifying prospect on Arch, but for distros where kernel compilation isnt aided by something like ABS, it could be painful.

    Please correct me if anyone out there knows I'm wrong on something here, or provide additional information if you have it.
     
  18. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
    I'm not sure about that, last time I spoke to him, he didn't look like he wanted to spend any time on maintaining something which will be gone soon...

    And of course it's on 4.9.x, there aren't and aren't gonna be public patches for higher versions. ;) On the other hand, I'm glad it's not on 4.10.x, I find these kernels very unstable and buggy...

    Not familiar with that approach, but sounds like everything is isolated, so I don't see why AppArmor would be of any use. But that's OT.
     
  19. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    Right from the horses mouth

    https://paste.debian.net/hidden/491e73cb/

     
  20. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
  21. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    737
    Location:
    United States
    Their comparison matrix & notes especially in regard to the kernel self protection project show the vast differences in protections.

    https://grsecurity.net/compare.php
     
  22. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    linux-grsec no longer in Community for Arch (nor is it on the AUR of course). Im sitting on the latest 4.9 linux-grsec that was released, but as soon as a security flaw is found, ill either have to move to alpine, or switch to the vanilla linux kernel.
     
  23. daario

    daario Registered Member

    Joined:
    Jul 14, 2016
    Posts:
    24
    Location:
    Earth
    Just build it yourself. Or get used to using vanilla and have faith in KSPP. ;)
     
  24. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    I dont have faith in KSPP, and building it yourself is easier said than done (I think) :D

    Correct me if I'm wrong, but the grsecurity patchset must be tweaked with every kernel revision.

    So, a grsecurity patchset for a 4.9.24 kernel wont work on a 4.9.23 or 4.9.25 kernel. I am competent enough at patching, but I dont trust myself enough to do it right in secure terms and with every little revision.

    For now, Alpine is the only clear option to retain some of grsecurity's protections without extensive self-patching (or buying grsecurity, though its supposed to be pretty expensive).

    There is this little tidbit from an answer in /r/gentoo on reddit:

    I tried to find anything corroborating that, but I cant seem to find anything. Its either buried in a mailing list, it was discussed on IRC in #gentoo-hardened on freenode, or its a rumor with no substance.

    https://www.reddit.com/r/Gentoo/comments/67qecx/future_of_gentoo_hardened/
     
  25. Balthazar

    Balthazar Registered Member

    Joined:
    Nov 8, 2013
    Posts:
    166
    Location:
    Earth
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.