[arch-general] AppArmor support

Levente Polyak anthraxx at archlinux.org
Mon Sep 10 10:35:07 UTC 2018 

On 9/9/18 10:26 PM, Carsten Mattner via arch-general wrote:
> On 9/9/18, Gus <qty at airmail.cc> wrote:
>> Linux-hardened doesn't support hibernation and i think it's overkill to
>> use it on desktop.
> 
> Not arguing in anyway for or against AppArmor, just another
> data point regarding linux-hardened 4.17 and 4.18:
> 
> I tried linux-hardened on two Intel machines, and it was less stable
> than "linux". Some of the changes are probably invasive/destabilising,
> which makes sense seeing how slowly and carefully the mitigations are
> traveling via Kees Cook into Linus' tree. I didn't have stability
> issues with the old linux-grsec packages, though to be fair those
> were also way older major releases which may matter.
> 

It is quite definitively equally stable as vanilla linux is, there is no
crazy overly invasive stuff in hardened that would justify claiming
otherwise.

What you most likely encountered, like literally all other "instability"
issues so far, is that with your setup you triggered a stock vanilla
linux bug with the difference that hardened immediately shuts itself
down for security reasons. These bugs are corruption and integrity
related and shutting down follows "better safe then sorry" for the
hardened variant.
There are various kernel configs doing so, to name some:
CONFIG_BUG_ON_DATA_CORRUPTION, CONFIG_DEBUG_LIST, CONFIG_DEBUG_SG and
lots more including slab sanitizing/verifying specifically in
combination with CONFIG_PANIC_ON_OOPS.

Just a crazy idea but how about contributing back instead of just
complaining? People on the bug tracker always help guiding how to report
upstream or finding relevant commits. Yeah, i know it takes a while to
compile, but it's not that complicated:
- take a look at the panic in hardened
- peek the code around it to find out which of the protective config
  values may have triggered it (if not already obvious from the panic)
- reproduce on stock/vanilla kernel by building it including the
  responsible configs
- report upstream using the gathered information of the vanilla kernel
- bonus points for git bisecting the commit that broke it

This would not only contribute to make hardened run on your or similar
setups, all vanilla linux users would benefit by helping to fix a bug
that can or does result in a corruption.

cheers,
Levente

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180910/8db8aca1/attachment.asc>

More information about the arch-general mailing list