---------------------------------------- From: Levente Polyak via arch-general <arch-general@archlinux.org> Sent: Mon Sep 10 14:09:06 CEST 2018 To: General Discussion about Arch Linux <arch-general@archlinux.org> Cc: Levente Polyak <anthraxx@archlinux.org> Subject: Re: [arch-general] AppArmor support
Nice to hear that you do or at least did, bear with me for overgeneralizing in in your case.
However, the point of my whole response was that you are most definitively triggering/encountering the very same bug on the stock kernel, stock variant just tries to go ahead instead of panic, which means it may result in corruption and possibly killing kittens. Whatever is encountered there is at least a "regular regression" and possibly could provide surface for exploitation.
If you are not using linux-lts you are pretty much using the very same stable branch/tag in linux-hardened that vanilla linux uses so there is no "different stable kernel branch". If former is the case you can pretty much blame vanilla linux package to an equal amount as the hardened variant for being buggy.
cheers, Levente
I think you may consider disabling CONFIG_PANIC_ON_OOPS in linux-hardened default config. Preventing users from being able to debug and report their issues upstream or even discouraging them from using linux-hardend at all is quite a big cost of it. Asking users to recompile their kernels every time they want to investigate their issues is also a little too much. There is "oops=panic" cmdline which everyone can use and which is much more flexible to switch between debug/non-debug mode than recompiling. I don't think adding something to cmdline is beyond capabilities of Arch users, especially if they're interested in security. Yours sincerely G. K.