undefined | Better HN

0 pointsqznc9y ago0 comments

Why are the grsecurity patches not included in the Vanilla Kernel?

https://unix.stackexchange.com/questions/59020/why-are-the-g...

0 comments

5 comments · 2 top-level

peterwwillis9y ago· 3 in thread

In other words: nobody ever tried to get it into mainline. Anyone reading this right now could go and get it submitted into mainline in the chunks that Linus would accept. It would take about 6 months, though, assuming you knew what you were doing.

SEJeff9y ago

Incorrect, Kees Cook, who more or less founded the KSP project (kernel self protection) has been working on this for several years to enhance the security of ChromeOS while working for google. He started some of it when he was working for Canonical and has been doing this non-stop. The problem is that getting things into small individually testable components is literally anathema to the Pax/grsecurity model. They have very specific "chunks" of functionality which are quite invasive, by design. This goes against the model the Linux kernel is developed, so the two development communities are simply mutually exclusive.

https://www.linux.com/news/google-developer-kees-cook-detail...

He's been working on this for a very long time.

PaXTeam9y ago

> The problem is that getting things into small individually testable components > is literally anathema to the Pax/grsecurity model.

no, you're wrong. how do you think we developed our code? did all the 8+ MB worth of it pop out of our head all at once? or more realistically, did we develop the features piece by piece, not unlike how upstream linux is developed?

> They have very specific "chunks" of functionality which are quite invasive, by design.

define invasive. linux itself has 'quite invasive' features too yet that didn't prevent them from being developed and upstreamed, so not sure what you were trying to imply here.

> This goes against the model the Linux kernel is developed, so the two development > communities are simply mutually exclusive.

this narrative only exists in your head, not in reality. our work is as much upstreamable as any other kernel code that went in over the years (how else do you think some of it could get in already?), it's just that it can't be done in one's free time.

2 more replies

peterwwillis9y ago

He could have been working on it for 26 years and still failed to get it in, which would only mean that he sucks at it.

Other people have gotten large changes into the kernel before, but they require interfacing with the kernel devs and agreeing to certain changes first. Nobody's going to accept a patch just because Google wants it for one of its products. And Google isn't going to change its product patches just so they can fit in mainline.

1 more reply

pinpeliponni9y ago

Original discussion from over a decade ago was more about clashing opinions, strong personalities, and anti-NSA sentiment (how SELinux ws handled). Grsecurity has always been very opinionated, and technically well implemented. That has never been the issue. In theory they also could have chosen to maintain only one version - in the official kernel.

To clarify some technical aspects, SELinux and grsecurity are not answers to the same problems, and they never meant to be. SELinux was always meant to implement things like multi-level security, bell-lapadula model, and extending 3rd party application with SeLinux roles, and the security daemon. Grsecurity has file oriented rbac system that was more approachable, and a variety of other patches (which are what grsecurity has been more known for - they have been always very excellent).

Knowing Spender, he was probably actually paid to stop. That's my guess. Not going to iterate on that.

j / k navigate · click thread line to collapse