[arch-dev-public] providing grsecurity in [community]

[Daniel Micay]

On 18/04/14 08:15 PM, Allan McRae wrote:
> On 19/04/14 07:11, Tom Gundersen wrote:
>> On Wed, Apr 16, 2014 at 6:09 AM, Daniel Micay <danielmicay at gmail.com> wrote:
>>> There has been a recent surge of interest in securing Arch by paying
>>> closer attention to CVEs and addressing many security issues in our
>>> packages. I also started some initial work/documenting on securing the
>>> services shipped in various packages:
>>>
>>> https://wiki.archlinux.org/index.php/DeveloperWiki:Service_isolation
>>
>> I'm very happy that more people are now looking at security related
>> things in Arch. Nice work!
>>
>>> To go along with this, I'm interested in maintaining the grsecurity
>>> kernel and userspace tools in [community] to provide a hardened kernel
>>> and role-based access control system. This would be the first case of an
>>> alternative kernel in the repositories, so I'm open to discussion about
>>> whether it's appropriate to do this. There are also some issues relevant
>>> to other packages in the repositories.
>>
>> Hmm, grsec seems like a dead-end to me. It will never land upstream,
>> and hence will never be in our standard kernel and our default
>> packages will therefore never be integrated with it. So whatever work
>> you do will have to live independently in perpetuity. At worst it
>> would split our (very limited) development and QA resources.
>>
>> Would it not make more sense to focus on some other security features
>> that are actually upstream and which can then at least potentially be
>> merged into our default packages eventually?
>>
>> Maybe another option, if you really think grsec is the way to go,
>> would be to simply create a new unofficial repository and put the
>> packages there instead?
> 
> I'd say an unofficial repo is the way to go for the time being.
> linux-grsec in the AUR only has 44 votes, so it is not screaming out for
> inclusion in the repos.
> 
> Allan
> 

Users have been asking for MAC to be provided in the repositories for a
long time. At the moment, two bugs are open about it:

https://bugs.archlinux.org/task/37578
https://bugs.archlinux.org/task/39852

Any of these reported bugs could simply be closed with the response that
the grsecurity RBAC is provided in the repositories and there's  no one
interested in maintaining another. I think that's a response most people
would be satisfied with, but users aren't going to be very happy with an
a WONTFIX simply saying Arch has no official support for any of this.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140419/243e4a93/attachment.asc>