Hi,
we currently use kernel 2.4.33.3 in 'hardened linux' as default kernel including the grsec patch. Since we discuss about switching to kernel 2.6, we need a grsec patch that applies on a stable 2.6-kernel.
Is there some grsec patch backport for kernel 2.6.16.35?
since we need a very stable kernel, we do not realy want to apply the grsec-2.6.19 patch I found in ~spender/, but the 2.6.18.2 patch is also not a very good choice since 2.6.18.5 is already out.
any ideas?
I plan to use 2.6.18.2, patch it with grsec, and then apply the kernel patches 2.6.18.3+4+5. (I would prefer a 2.6.16.35 kernel...)
What do users say about the stability of linux >=2.6.17.x with grsecurity?
--cdpxe
stable kernel
6 posts
• Page 1 of 1
by Hal9000 » Sun Dec 10, 2006 8:25 pm
i am running 2.6.17.11-grsec since 90 days, works wonderfully.
since there are no major security issues in that kernel for my system, i'm not planning to upgrade anytime soon...
i know kernel 2.6.16.x has got a "special" treatment by being maintained as a "stable" series, so i don't quite understand why the grsec team chose not to support 2.6.16.x and instead going on supporting newer versions which imho results in more work for them.
if 2.6.18.5 doesnt have any security issues fixed concerning your configuration over 2.6.18.2, i wouldn't worry about using a 2.6.18.2-grsec kernel.
oh by the way, if the 2.4.x kernel works fine on your hardware, there is no real urge to switch
since there are no major security issues in that kernel for my system, i'm not planning to upgrade anytime soon...
i know kernel 2.6.16.x has got a "special" treatment by being maintained as a "stable" series, so i don't quite understand why the grsec team chose not to support 2.6.16.x and instead going on supporting newer versions which imho results in more work for them.
if 2.6.18.5 doesnt have any security issues fixed concerning your configuration over 2.6.18.2, i wouldn't worry about using a 2.6.18.2-grsec kernel.
oh by the way, if the 2.4.x kernel works fine on your hardware, there is no real urge to switch
- Hal9000
- Posts: 78
- Joined: Wed Jun 16, 2004 2:40 am
Re: stable kernel
by PaX Team » Wed Dec 13, 2006 5:37 pm
there is no such thing as a 'stable 2.6 kernel', at least nothing in the sense that 2.4 was considered stable.cdp_xe wrote:Since we discuss about switching to kernel 2.6, we need a grsec patch that applies on a stable 2.6-kernel.
not to my knowledge, and we support the last 'stable' release only.Is there some grsec patch backport for kernel 2.6.16.35?
yes - bad choice. the 2.6 port of PaX at least is far from what i consider stable, my todo list about just to catch up with past 'stable' changes doesn't want to decrease as fast as i'd like. therefore you're always best off (as much as it can be good to rely on 2.6) by using the latest PaX and grsecurity. not to mention that new features like UDEREF won't be backported to previous 2.6 versions (nor 2.4 versions, for that matter but at least it should be easier for a third party to do it than for 2.6).since we need a very stable kernel, we do not realy want to apply the grsec-2.6.19 patch I found in ~spender/, but the 2.6.18.2 patch is also not a very good choice since 2.6.18.5 is already out.
any ideas?
check the forum, some are apparently happy (at least they're not complaining), some have problems, but we don't always know whether that's due to 2.6 itself or grsecurity.What do users say about the stability of linux >=2.6.17.x with grsecurity?
- PaX Team
- Posts: 2310
- Joined: Mon Mar 18, 2002 4:35 pm
Re: stable kernel
by bplant » Thu Dec 14, 2006 6:50 am
PaX Team wrote:there is no such thing as a 'stable 2.6 kernel', at least nothing in the sense that 2.4 was considered stable.Is there some grsec patch backport for kernel 2.6.16.35?
not to my knowledge, and we support the last 'stable' release only.
I realise that the current kernel development model doesn't facilitate the production of super stable 2.6 kernels, but if the 2.6 series is considered unstable, then why not take advantage of the 2.6.16 series? This series only contains bugfixes (much like the 2.4 series), and the same could be done for PaX/grsec. This should only require minimal effort to maintain the PaX/grsec patch.
Based on the minimal changes to the 2.6.16 series, there would even be a good chance that PaX/grsec patch would not require updating for every new kerne in the 2.6.16 series so all that's required is a starting point (current 2.1.9 PaX/grsec patch released for the latest 2.6.16 kernel). I see the 2.6.16 series as an opportunity to help create a more stable kernel in a possibly not so stable release cycle.
I, along with everyone else, appreciate all the work that you and spender put into the patches and I don't wont to be ungrateful. I just feel that releasing a patch for the 2.6.16 series could benefit a lot of people that can't use a 2.4 kernel, but are concerned about the stability of the 2.6 series.
Cheers,
Brad
- bplant
- Posts: 73
- Joined: Sat May 28, 2005 10:36 pm
by cdp_xe » Mon Dec 18, 2006 6:26 am
btw. we now use 2.6.18.5 in combination with the grsec-2.6.18.2 patch since many of our users need the hardware support of 2.6.x kernels.
If a 2.6.16.x patch of grsec would be available, we would possibly switch to this release.
If a 2.6.16.x patch of grsec would be available, we would possibly switch to this release.
- cdp_xe
- Posts: 7
- Joined: Wed Oct 04, 2006 6:35 am
by ra » Wed Dec 20, 2006 4:19 pm
I would also appreciate a grsecurity patch for >= 2.6.16.36 .
Spender, is there any chance you will support the 2.6.16.x tree?
Currently the only problem applying the grsecurity patch is the update for binfmt_elf.c :
http://www.kernel.org/git/?p=linux/kern ... ec5d3940f2
Spender, is there any chance you will support the 2.6.16.x tree?
Currently the only problem applying the grsecurity patch is the update for binfmt_elf.c :
http://www.kernel.org/git/?p=linux/kern ... ec5d3940f2
- ra
- Posts: 3
- Joined: Thu Jun 16, 2005 6:14 am
6 posts
• Page 1 of 1