[arch-dev-public] providing grsecurity in [community]

Daniel Micay danielmicay at gmail.com
Fri Apr 18 07:07:11 EDT 2014

On 18/04/14 05:34 AM, Sébastien Luttringer wrote:
> On 18/04/2014 10:44, Daniel Micay wrote:
>> On 18/04/14 04:09 AM, Sébastien Luttringer wrote:
>>> On 16/04/2014 06:09, Daniel Micay wrote:
>> I could build these myself when I push a new version, because there
>> aren't many of them. 
> When I will push a new version of Virtualbox, which currently provides
> modules for linux and linux-lts. I will have to build a third external
> package for linux-grsec, like every modules maintainer.

There's no problem with simply not building a VirtualBox module for the
linux-grsec kernel. You're not building one now, so there would be
nothing gained or lost. Supporting out-of-tree modules wasn't something
I planned on considering at all right away.

Other modules without userspace components wouldn't present the same
problems as VirtualBox, since they would be an entirely separate package.

>> I don't think it makes sense to bother with the
>> nvidia module because it would be a bit silly to mix it with grsecurity.
> Why user with nvidia cards should be deprived of grsec security enhancement?

It will work fine with Nouveau. The nvidia driver is a larger pile of
code than the Linux kernel itself and no hardening can be applied to it.
The grsecurity kernel randomization features are rendered useless since
it has info leaks all over. It might have an impact on the RBAC
policies, which would otherwise be able to assume that X will be running
as non-root post 1.16.

If someone is interested in building an nvidia module for a grsecurity
kernel and fixing any RBAC issues then I won't object, but I'm not going
to do it myself.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140418/76feb942/attachment.asc>

More information about the arch-dev-public mailing list