What keeps GrSecurity code out of the mainline Linux kernel?

Discussion in 'all things UNIX' started by Gullible Jones, Sep 7, 2014.

  1. Gullible Jones

    Gullible Jones Registered Member

    May 16, 2013
    GrSecurity is a huge patchset. Today's stable patch for 3.14.18 is 4 MB. That's an enormous amount of code changes, which says that probably very little of it is getting into the mainline kernel.

    Why the heck not?
  2. Hungry Man

    Hungry Man Registered Member

    May 11, 2011
    It's actually a pretty small patchset in reality, when you consider what it adds.

    It's not in mainline for a few reasons:

    1) Mainline is run mostly by people with little to no understanding of security, both in terms of the mechanics behind it, as well as the principals behind it. "A bug is a bug" won Linus a pwnie, and he deserves it. The upstream reaction to security issues is flawed and dumb.

    2) Some of the patches can be arch-specific, and I guess Linus doesn't like that. example: PaX has had UDEREF for ages, but only with intel adding SMAP (they are essentially the same thing) does Linux support such a thing, because it's a standard in some piece of hardware, as opposed to using the hardware in some other non-official way. It's idiotic.

    3) Brad has no intention of pushing for upstream. He doesn't like them, they don't like him, and it's obvious why - only one of them cares about security. It's been fairly blatant that Linus is abrasive, if you see him talk to PaX Team on some commits it is usually just a lot of back and forth cursing.