Project

General

Profile

Feature #8604

Feature #7649: Include a grsecurity-patched kernel

Evaluate a grsec kernel from corsac's APT repository in Tails

Added by intrigeri almost 5 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
01/08/2015
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:
Starter:
Affected tool:

Description

corsac's repo lives there: http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/

The testing procedure is roughly the same as for #8600, except that instead of adding .deb's to config/chroot_local-packages/, one should add corsac's repo to config/chroot_sources, and maybe tweak APT pinning in config/chroot_apt/preferences.


Related issues

Related to Tails - Feature #8600: Evaluate a grsec kernel from spender's build service in Tails Rejected 01/07/2015
Related to Tails - Feature #8605: Compare Debian kernel configuration with the one used in Corsac's grsec kernels Rejected 01/08/2015

History

#1 Updated by intrigeri almost 5 years ago

  • Related to Feature #8600: Evaluate a grsec kernel from spender's build service in Tails added

#2 Updated by intrigeri almost 5 years ago

  • Related to Feature #8605: Compare Debian kernel configuration with the one used in Corsac's grsec kernels added

#3 Updated by intrigeri almost 5 years ago

#5 Updated by intrigeri over 4 years ago

See http://www.corsac.net/?rub=blog&post=1573

TL;DR:

  • Yves-Alexis has finally updated the packages in his personal APT repo. That's still a 3.2 kernel.
  • Jessie's kernel (3.16) isn't a long-term branch, so there won't be a grsec patch maintained for it
  • forward-porting grsec patches from 3.14 (long-term branch) to 3.16 isn't trivial
  • Yves-Alexis has looked at Mempo's custom kernel, and wasn't more convinced by the build process than I was
  • Yves-Alexis will probably "solve" the problem for himself, and may stop publishing .deb's; he is hesitating between tracking 3.14 and using 3.19 + upgrading until a new LTS branch appears

To sum up, Yves-Alexis' APT repo can be useful for the initial evaluation of grsecurity in Tails, but it likely won't cut it as a long-term solution.

#6 Updated by intrigeri over 4 years ago

Update from corsac on that topic: http://www.corsac.net/?rub=blog&post=1575

  • Yves-Alexis will probably "solve" the problem for himself, and may stop publishing .deb's; he is hesitating between tracking 3.14 and using 3.19 + upgrading until a new LTS branch appears

Yves-Alexis has published scripts, configuration (and binary packages) for Linux 3.14.

To sum up, Yves-Alexis' APT repo can be useful for the initial evaluation of grsecurity in Tails, but it likely won't cut it as a long-term solution.

That's still the case.

#7 Updated by intrigeri over 4 years ago

If these kernels lack aufs support, but support overlayfs, then this work will need to be based on feature/8415-overlayfs.

#8 Updated by intrigeri almost 4 years ago

  • Status changed from Confirmed to Rejected

Now that grsec landed in Debian, I guess this is not relevant anymore. Sorry if I got it wrong!

#9 Updated by intrigeri almost 3 years ago

  • Related to deleted (Feature #8415: Migrate from aufs to overlayfs)

Also available in: Atom PDF