grsecurity forums

[amadei]

While it's not out yet, Linus has mentioned that 2.5.75 will be the last 2.5 kernel he does before starting the 2.6-pre line.

Have you guys looked into the upcoming kernel, and estimated how difficult or how long it will take before GRSec for 2.6 will become available?

I'm not asking for concrete answers that will come back to haunt you... I understand the guessimates are hard to predict. I'd just like to get a ballpark idea, so I can get a foggy idea how long before I may need to build some 2.6 machines.

[hightower]

Hi Amadei,

While it's not out yet, Linus has mentioned that 2.5.75 will be the last 2.5 kernel he does before starting the 2.6-pre line.

well, I had a good laugh about it already

Have you guys looked into the upcoming kernel, and estimated how difficult or how long it will take before GRSec for 2.6 will become available?
I'm not asking for concrete answers that will come back to haunt you... I understand the guessimates are hard to predict. I'd just like to get a ballpark idea, so I can get a foggy idea how long before I may need to build some 2.6 machines.

Well, if someone would ask me, I really like to have grsec stuff developed for 2.4 in the future and 2.4 should be the "platform" to concentrate on. 2.5/2.6 has nice features, tons of bug fixes but it is also tons of unstable and slow. I think about updating to 2.6 completely and kick 2.4 in the ass around 2.6.16 ~ 2.6.18 time.

I don't expect 2.6 is really usable in most of the cases before.
I've recently talked to a leading RedHat kernel developer and he told me that RH's platform will be 2.4 for the next ~4 years. This might change, of course, depending on how good 2.6 is going ahead.

Well, it does not mean grsec shouldn't go for 2.6, but please develop 2.4 further on

ciao, Marc

[amadei]

2.5/2.6 has nice features, tons of bug fixes but it is also tons of unstable and slow. I think about updating to 2.6 completely and kick 2.4 in the ass around 2.6.16 ~ 2.6.18 time.

I usually start to think about moving to the new kernels after 10 patches, but that is not set in stone... for example, if I need a specific feature.

I had heard the new anticipitory scheduler and other features have made 2.5/2.6 quite a bit quicker than 2.4.
Of course, 2.4 was supposed to be faster than 2.2...

[Xipher]

I am currently using 2.6.0-test3.
I find it alot faster then 2.4.21, and stable as well, although not running any servers or any thing on it, this is my laptop, but it runs well.
I think that they have done a great job, and this one might be ready out of the box, or after maybe 5 patches, instead of 5 or more.

[bse]

redhat will be using 2.4 for the next four years???
In four years i guess 2.8 or 3.0 will exist and a lot of hardware won't work with 2.4.

On my notebook for example I hardy have any choice, as 2.4 doesnt support cpufreq and probably never will.

I've done no benchmarking but I don't have the experience that 2.6-pre is slow. Ok it's not stable yet, but it's still -pre, and I guess it will be stable in a few months. 2.2 and 2.4 took very long to become stable, i know, but that doesn't have to apply to 2.6, too. For example it's almost the first stable tree that doesn't have a completely recoded network filter.

I also think switching grsec development from 2.4 to 2.6 from one day to another is no good idea, since not all kernel enhancements switch to 2.6 at the same time, so there could be a gap where some patches you need only exist for 2.6 while some others only exist for 2.4.
Imagine an AMD Opteron Server - there's no x86-64 support in 2.4 and no grsec for 2.6

[spender]

2.4.22 has full x86-64 support.

-Brad

[bse]

oh, well, guess u're right, but u got my point...

[PaX Team]

Imagine an AMD Opteron Server - there's no x86-64 support in 2.4 and no grsec for 2.6

a few days ago i released preliminary PaX support for x86-64 as well, so if someone actually cares to try it out or even better, lets Brad port the other parts of grsec to it, you'll get full grsec on x86-64 (same goes for ia64 by the way).

[bluefoxicy]

I heard there was already work being done on 2.6 but there's apparently nothing in the CVS about it. It may be in pieces but any functionality's nice. I already have the ASLR for PaX in my 2.6.0test9 kernel, and I can say that 2.6 is quite stable for me on several machines. Not so easy to configure as 2.4 though, and just doesn't like some machines. My desktop, WITH the nvidia kernel module, gave me 13 days of uptime, and then the wind took down my powerlines. I need a good solid no-patching/no-nat-disaster time to REALLY see how stable this thing is, but I've hit 2 weeks.

At any rate, I run 2.6 exclusively now, and would like to see what preliminary grsec/PaX work has been done on it, even if it's choppy and half-working.

And don't listen to those idiots on the LKML; grsec is an ACL system, basic braindead security, and on occasion a little extra, PLUS PaX for ultrahardness. Most of it shoud have been coded in ANYWAY and there's no reason to move into a LSM and try to deal with their brain-damaged design that's as far as I can tell from its current uses (SeLinux) geared mostly towards access control.

--Bluefox Icy

[m3thos]

well, 2.6.0 is out, and the 2.6 stable branch just started.

there's a post from Spender in the news section of the site about working on a grsec patch for 2.6..

Well, just to say that there is at least two sysadmins crews(two teams of 6), waiting for such a patch, in my university.

linux2.6 is awesome, grsec is needed, we want 2.6 in our critical servers, and for that, please bring on grsec patch for these new kernels!

for those who say 2.6 is still to green and unstable, I say, working with it on several machines for a moth or two, and is (in these configurations) totally rock solid!

so basically, this is a request to bring out those linux-2.6.0-grsec patches!

ps: congrats for the great work spender!

[h4x0r]

I hate to be a killjoy as I'm very impressed with the 2.6.0 aswell, but you should be aware that the 2.6.0 must fix list still shows that many 2.4.x security fixes have not yet been forward ported to 2.6:

ftp://ftp.kernel.org/pub/linux/kernel/p ... -fix-7.txt

Scroll down to the bottom you'll see these two:

o alan: Forward port 2.4 fixes
- Chris Wright: Security fixes including execve holes, execve vs proc races

o There are about 60 or 70 security related checks that need doing
(copy_user etc) from Stanford tools. (badari is looking into this, and hollisb)


I haven't read anywhere that this list isn't curent for 2.6.0 so unless you know otherwise it'd probably be a bad idea to use it on a "critical" server without those fixes yet.

Not trying to rain on your parade just a freindly heads up

[ErroR|51]

I'll have to agree with m3thos there, I'm also quite impressed with 2.6.0.

[nsqlg]

Performance of kernel 2.6 for some things is ALOT better

I have seen other comparison of FreeBSD 4.X / 5.X x OpenBSD x Linux Kernel 2.4 x Linux Kernel 2.6... the results is very impressed too, TCP/IP of 2.6 x 2.4 performance is brutal too, but I forget the URL, try use google to find this.

Samba filesharing performance in this article (http://www.infoworld.com/infoworld/arti ... nux_1.html) have a amazing result too (at least 47%), see this image:



I love GRSec (ACL system is very cool) and PaX, i have some servers with this, and for my workstation and i dont want live in 2.6 world without powerful tools like GRSec. If port for 2.6 dont out, I go to consider to use LIDS + PaX patch in Kernel 2.6 is better than nothing for my workstation. Anyone know if GRSec can be ported to 2.6 ?

Remember LSM came with kernel 2.6, and dont work with grsec, maybe kernel with native LSM leaves more difficult the port, or not?

(sorry for my english, not my native language.)

[Sleight of Mind]

A lot of those 2.6 improvements are available for 2.4 as well, i would've liked to see a test like this with 2.4.xx-ck instead of plain 2.4.xx.
For example, 2.6 runs at 1000Hz by default, 2.4 at 100Hz. 2.6 has support for preemption and a low latency scheduler. All of those options are in -ck for the 2.4 series. If you really need more performance i would definately go for 2.4-ck and not 2.6. grsecurity is available for 2.4-ck. Try the search or google.

[LastGURU]

Although there are many things that are not forward ported yet to the linux 2.6, we do not have another way to go. I will switch our Linux HA cluster to 2.6 kernel immediately after DRBD and GRSec (I do not need ACL and MAC - just security patches for chroot and a couple of other things) will be available.