GRSecurity stable patches to be unavailable to general public

Discussion in 'all things UNIX' started by BoerenkoolMetWorst, Aug 27, 2015.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    I'm not sure if that is correct. I'm not an SELinux expert at all but there is the sandbox -X option. Quote:

     
  2. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Brad's Spengler says towards the end of the announcement:

    "If this does not resolve the issue, despite strong indications that it will have a large impact, we may need to resort to a policy similar to Red Hat's, described here or eventually stop the stable series entirely as it will be an unsustainable development model."

    This implies to me that they are still in negotiation/challenge mode, though have chosen not to go down the legal route (for obvious reasons). I guess they still have some leverage because they haven't outed the companies, and are effectively still giving them the opportunity to make amends.

    I'm particularly interested in the reference to the Red Hat model, because really, providing I trusted the operators, I would actually like/prefer to pay for a subscription to a supported hardened desktop distribution including grsecurity/Pax and Firejail, with tested updates included. While I can do this for myself, I don't really have time. I wonder if that's how a sponsored version could make it out into the market, as well as rewarding people doing this difficult work?

    Personally, I don't want to touch SELinux with a bargepole, and the most important protections are zero-day hardening from kernel attack and the ability to use various forms of containerisation properly. If the kernel developers could get slightly less complacent and include important aspects of grsecurity and Pax, that would be much better, I simply don't believe in the performance argument, and in any case, if done properly, that could be controlled by config files.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    You don't get, do ya? You DON'T need an antimalware for that. Just by using linux-grsec and firejail you'll put all exploits to the ground, they will all fail.

    Like I said, maybe Linux isn't for you. You're better on Windows.
     
  4. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    @zakazak Notice that none of the solutions put forth by that paper mention anti-malware programs.
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    9,872
    For a good reason. No need to bloat the kernel and add problems that could break ABI when there's no practical justification/value to the extras.
    Mrk
     
  6. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Many concepts created by Grsec/Pax have been appropriated by the Linux kernel over the years so the reality is quite different. If there was absolutely no reason to import those features they would never have done so. Furthermore the existence of LSM's also speaks loudly in that regard.

    So in the real world kernel developers have found a need to harden the kernels using features you describe as having no practical justification. I didn't make those decisions so it appears you need to address that with them.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    The threat landscape has changed; and the people involved in the kernel seem to have a problem with acknowledging that, and that people have different stances they want to adopt. LSMs are equivocal, and why does it have to be so hard? I agree with the sentiment in the presentation above, about the facilities are fine but don't protect the users and the applications.
    By contrast, although Windows has way more to attack, at least I can pop Emet and Sandboxie on, which is kind-of Pax and Firejail.
    I do agree, incidentally, that X is the other big bugbear in the equation for desktop systems.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    At least some prominent kernel developers do acknowledge that.
    Why do you think so?
    Well, that will change before long with Wayland.
     
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Thank, I had read the kernel discussion, and obviously grsec does have some traction in the Debian community. But wholesale grsec inclusion has been vetoed by Torvalds, and adoption of its methods (or similar) way too slow.
    The equivocal nature of LSM is highlighted in this wiki summary:
    https://en.wikipedia.org/wiki/Linux_Security_Modules#Criticism
    - I don't understand the full implications of the criticisms, but the fact is that a proportion of the people proposing such modules are unhappy isn't good, and I suspect the poor old user won't be much better off, because all that will happen is that the patches will be smaller.
    Do you have any information on the nature of Wayland in respect of its hardening behaviour? - obviously X required grsec switches, and some gcc checking couldn't be used; and SELInux was much harder on a desktop.
     
  10. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,865
    Not only in the Debian community. There is, e.g., Arch Linux which offers a grsec kernel (actually two of them including a LTS kernel), Gentoo, and some other smaller distros.

    Quote:
    More details here.
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,098
    Location:
    Brasil
    The problem with implementing grsecurity+pax by default is that it's too impractical for most uses. Most people that are comming from Windows don't even know what bash is, let alone tunning down the system security if such implementations were added by default. Linux already is a shame when it comes to Desktop Market Share, it would just get worse if the system was too secure by default.
    Of course, this doesn't mean SOME of those mitigations shouldn't go into the "master" kernel. If they are implemented in such a way that it doesn't interfere with some of the most common applications (and sadly that includes proprietary software Steam) than I'm more than OK with them.

    Most popular distribuitions already offer easy access to grsec and pax anyways, so those who actually want it and need it will know how to install them.
     
  12. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Your posts are always worth a laugh or two. Thanks for having consistently terrible opinions.
     
  13. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Just to get this clear for myself - the stable version will no longer be available to the public but custom kernels will still be available?

    They also sell a service on their store and that's still up. $15 one time $34 for 3 updates over 6 mos. You tell them what distro you are using - it has to be Ubuntu, Fedora, Debian or CentOS or a derivative of one of those including Linux Mint, KUBUNTU, XUBUNTU, etc. - 40 minutes later they have a kernel built for you.

    "For just 15 USD via Paypal or Bitcoin, our service compiles a kernel with the base distro config of your choice and sends you a private link when the build is complete. The link will provide you with the binary packages, all associated source code, and simple installation instructions. Update plans offer significant cost savings."
     
  14. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    So e.g. the Arch Community could get together and split the 15$ across 500 people? Doesn't sound like a big deal to me ?
     
  15. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    That's for individuals.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.