[arch-general] AppArmor support

Levente Polyak anthraxx at archlinux.org
Mon Sep 10 12:09:06 UTC 2018 

On 9/10/18 1:43 PM, Carsten Mattner wrote:
> On 9/10/18, Levente Polyak via arch-general <arch-general at archlinux.org> wrote:
>> Just a crazy idea but how about contributing back instead of just
>> complaining? People on the bug tracker always help guiding how to report
>> upstream or finding relevant commits. Yeah, i know it takes a while to
>> compile, but it's not that complicated:
>> - take a look at the panic in hardened
>> - peek the code around it to find out which of the protective config
>>   values may have triggered it (if not already obvious from the panic)
>> - reproduce on stock/vanilla kernel by building it including the
>>   responsible configs
>> - report upstream using the gathered information of the vanilla kernel
>> - bonus points for git bisecting the commit that broke it
>>
>> This would not only contribute to make hardened run on your or similar
>> setups, all vanilla linux users would benefit by helping to fix a bug
>> that can or does result in a corruption.
> 
> I did and do. I have open bugs in freedesktop and kernel bugzilla which
> are not resolved and in NEW state for months and years. These are usually
> regressions in drivers due to the Linux driver packaging model and
> insufficient testing on supported hardware configurations. What happens
> is that a driver that works flawlessly on hardware rev-1.8 suddenly starts
> misbehaving with a newer kernel that has seen improvements, refactorings,
> and support for newer hardware. It's most prominent in the graphics stack,
> which is complex, hard to test, and easy to break. I don't blame the
> developers for having a hard time, I'm discouraged stable drivers for
> old hardware get regressions and stop being tested as well as hardware
> of years -2/+2 years.
> 
> Therefore, I hope you don't mind if my frustration level with the issues
> I'm tracking right now is high enough that I'm not in the mood to debug
> and track issues I can avoid by using a different stable kernel branch.
> 

Nice to hear that you do or at least did, bear with me for
overgeneralizing in in your case.

However, the point of my whole response was that you are most
definitively triggering/encountering the very same bug on the stock
kernel, stock variant just tries to go ahead instead of panic, which
means it may result in corruption and possibly killing kittens. Whatever
is encountered there is at least a "regular regression" and possibly
could provide surface for exploitation.

If you are not using linux-lts you are pretty much using the very same
stable branch/tag in linux-hardened that vanilla linux uses so there is
no "different stable kernel branch". If former is the case you can
pretty much blame vanilla linux package to an equal amount as the
hardened variant for being buggy.

cheers,
Levente

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20180910/2da9b8d6/attachment.asc>

More information about the arch-general mailing list