grsecurity forums

Hello,

What's the recommended kernel branch from a security standpoint: 2.4 or 2.6? I remember having read somebody (officially?) recommending 2.4 over 2.6? Is it still true, Brad?

What's the current policy about grsec releases? While kernel.org publishes new kernels often, not all are instantly "supported" by grsec, until Spender reviews and releases a new patch, which, I guess, depends on changes implemented in new kernel (for instance, whether or not the new kernel has an important security fix). Right?

Is safe to assume that latest grsec patches corresponds to safe kernel releases? For instance, latest grsec patches relates to kerneles 2.4.34/2.6.19.2. Would it be safe to continue having 2.4.34, despite 2.4.34.1 being the latest? (or having 2.6.19.2 over 2.6.20.2?)

Thanks in advance for your clarifications.
-rs

rs wrote:What's the recommended kernel branch from a security standpoint: 2.4 or 2.6? I remember having read somebody (officially?) recommending 2.4 over 2.6? Is it still true, Brad?

not Brad speaking , but it's still true, we recommend 2.4 although reality more and more often doesn't really leave you that choice (lack of hw support or some kernel features your desired userland wants).

What's the current policy about grsec releases? While kernel.org publishes new kernels often, not all are instantly "supported" by grsec, until Spender reviews and releases a new patch, which, I guess, depends on changes implemented in new kernel (for instance, whether or not the new kernel has an important security fix). Right?

for the 2.6 series the bottleneck wasn't grsec per se but rather PaX that the kernel powers that be managed to break for pretty much every single release, so it takes time to forward port PaX and have something that at least boots . nevertheless, the policy is that we try to stay close to the last 'stable' 2.6.x, and we don't support nor backport anything to previous 2.6.y kernels. security fixes in 2.6.x.y are normally followed up quickly because they tend to break a lot less if anything at all (often you can just take the previous grsec patch and apply it without a problem).

Is safe to assume that latest grsec patches corresponds to safe kernel releases? For instance, latest grsec patches relates to kerneles 2.4.34/2.6.19.2. Would it be safe to continue having 2.4.34, despite 2.4.34.1 being the latest? (or having 2.6.19.2 over 2.6.20.2?)

you should always use the last vanilla kernel because it most likely has security fixes that are not in grsec per se. you can either wait for spender to release a new grsec for 2.[46].x.y or try to apply the previous one yourself, it mostly works.

Sorry, I meant not only Brad, but the whole devel team. Pax is great. And your response is appreciated!

I was asking for feedback because I'm planning to migrate to 2.6 (mainly to fix some performance issues, related to threading, where 2.6 has important enhancements over 2.4) and security is still important to me.

As you stated, 2.6 is getting more and more strength, and we will reach the time where there will be no choice apart from switching to 2.6, so it's good to prepare for that moment. By now, your words scare me a bit: 2.6 grsec patches seem to be fairly unstable, comparing to 2.4 patches.

So, I suppose you wouldn't recommend to switch to 2.6, if not strictly necessary.

Thanks for your comments.
-rs

rs wrote:As you stated, 2.6 is getting more and more strength, and we will reach the time where there will be no choice apart from switching to 2.6, so it's good to prepare for that moment. By now, your words scare me a bit: 2.6 grsec patches seem to be fairly unstable, comparing to 2.4 patches.

indeed, i have a huge backlog of 2.6 features that i have yet to verify for PaX interference (stuff like suspend, hugetlbfs, migration, etc), and only then could come an actual audit for security bugs (which will probably not happen at this rate of development at all).

So, I suppose you wouldn't recommend to switch to 2.6, if not strictly necessary.

correct although i'd add that on a singler user system like a desktop it doesn't matter as much because there you have less to worry about locally exploitable bugs (by virtue of not having any untrusted local users) and for remote bugs the two kernels are pretty much the same.

Indeed, I don't use to install grsec (or similar) on my desktop system. It's a bit "PITA" and I think it's better simply to make a good bastioning (usually a desktop doesn't need to offer many services, if any at all).

For servers, grsec is a must-have.

I'll stay with 2.4 (for the moment)

-rs

I'm I correct that it's not recomended to use grsec (or at least the PAX bit) for production use on 2.6 kernels?

If I read this thread it's the impression I get.

Regards,

Sander

roedie wrote:I'm I correct that it's not recomended to use grsec (or at least the PAX bit) for production use on 2.6 kernels?

If I read this thread it's the impression I get.

yes.