Recommended kernel and Grsec release policy

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Recommended kernel and Grsec release policy

Postby rs » Tue Mar 13, 2007 12:19 pm

Hello,

What's the recommended kernel branch from a security standpoint: 2.4 or 2.6? I remember having read somebody (officially?) recommending 2.4 over 2.6? Is it still true, Brad?

What's the current policy about grsec releases? While kernel.org publishes new kernels often, not all are instantly "supported" by grsec, until Spender reviews and releases a new patch, which, I guess, depends on changes implemented in new kernel (for instance, whether or not the new kernel has an important security fix). Right?

Is safe to assume that latest grsec patches corresponds to safe kernel releases? For instance, latest grsec patches relates to kerneles 2.4.34/2.6.19.2. Would it be safe to continue having 2.4.34, despite 2.4.34.1 being the latest? (or having 2.6.19.2 over 2.6.20.2?)

Thanks in advance for your clarifications.
-rs
rs
 
Posts: 15
Joined: Thu Mar 31, 2005 6:48 pm

Re: Recommended kernel and Grsec release policy

Postby PaX Team » Mon Mar 19, 2007 5:23 am

rs wrote:What's the recommended kernel branch from a security standpoint: 2.4 or 2.6? I remember having read somebody (officially?) recommending 2.4 over 2.6? Is it still true, Brad?
not Brad speaking ;-), but it's still true, we recommend 2.4 although reality more and more often doesn't really leave you that choice (lack of hw support or some kernel features your desired userland wants).
What's the current policy about grsec releases? While kernel.org publishes new kernels often, not all are instantly "supported" by grsec, until Spender reviews and releases a new patch, which, I guess, depends on changes implemented in new kernel (for instance, whether or not the new kernel has an important security fix). Right?
for the 2.6 series the bottleneck wasn't grsec per se but rather PaX that the kernel powers that be managed to break for pretty much every single release, so it takes time to forward port PaX and have something that at least boots ;-). nevertheless, the policy is that we try to stay close to the last 'stable' 2.6.x, and we don't support nor backport anything to previous 2.6.y kernels. security fixes in 2.6.x.y are normally followed up quickly because they tend to break a lot less if anything at all (often you can just take the previous grsec patch and apply it without a problem).
Is safe to assume that latest grsec patches corresponds to safe kernel releases? For instance, latest grsec patches relates to kerneles 2.4.34/2.6.19.2. Would it be safe to continue having 2.4.34, despite 2.4.34.1 being the latest? (or having 2.6.19.2 over 2.6.20.2?)
you should always use the last vanilla kernel because it most likely has security fixes that are not in grsec per se. you can either wait for spender to release a new grsec for 2.[46].x.y or try to apply the previous one yourself, it mostly works.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby rs » Mon Mar 19, 2007 6:11 am

Sorry, I meant not only Brad, but the whole devel team. Pax is great. And your response is appreciated! :)

I was asking for feedback because I'm planning to migrate to 2.6 (mainly to fix some performance issues, related to threading, where 2.6 has important enhancements over 2.4) and security is still important to me.

As you stated, 2.6 is getting more and more strength, and we will reach the time where there will be no choice apart from switching to 2.6, so it's good to prepare for that moment. By now, your words scare me a bit: 2.6 grsec patches seem to be fairly unstable, comparing to 2.4 patches.

So, I suppose you wouldn't recommend to switch to 2.6, if not strictly necessary.

Thanks for your comments.
-rs
rs
 
Posts: 15
Joined: Thu Mar 31, 2005 6:48 pm

Postby PaX Team » Mon Mar 19, 2007 6:24 pm

rs wrote:As you stated, 2.6 is getting more and more strength, and we will reach the time where there will be no choice apart from switching to 2.6, so it's good to prepare for that moment. By now, your words scare me a bit: 2.6 grsec patches seem to be fairly unstable, comparing to 2.4 patches.
indeed, i have a huge backlog of 2.6 features that i have yet to verify for PaX interference (stuff like suspend, hugetlbfs, migration, etc), and only then could come an actual audit for security bugs (which will probably not happen at this rate of development at all).
So, I suppose you wouldn't recommend to switch to 2.6, if not strictly necessary.
correct although i'd add that on a singler user system like a desktop it doesn't matter as much because there you have less to worry about locally exploitable bugs (by virtue of not having any untrusted local users) and for remote bugs the two kernels are pretty much the same.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby rs » Tue Mar 20, 2007 4:56 am

Indeed, I don't use to install grsec (or similar) on my desktop system. It's a bit "PITA" and I think it's better simply to make a good bastioning (usually a desktop doesn't need to offer many services, if any at all).

For servers, grsec is a must-have.

I'll stay with 2.4 (for the moment) ;-)

-rs
rs
 
Posts: 15
Joined: Thu Mar 31, 2005 6:48 pm

Postby roedie » Tue Mar 20, 2007 2:49 pm

I'm I correct that it's not recomended to use grsec (or at least the PAX bit) for production use on 2.6 kernels?

If I read this thread it's the impression I get.

Regards,

Sander
roedie
 
Posts: 1
Joined: Tue Mar 20, 2007 2:45 pm

Postby PaX Team » Tue Mar 27, 2007 6:04 pm

roedie wrote:I'm I correct that it's not recomended to use grsec (or at least the PAX bit) for production use on 2.6 kernels?

If I read this thread it's the impression I get.
yes.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm


Return to grsecurity support

cron