[arch-general] AppArmor support
Geo Kozey
geokozey at mailfence.com
Mon Sep 10 15:58:49 UTC 2018
> ----------------------------------------
> From: Levente Polyak via arch-general <arch-general at archlinux.org>
> Sent: Mon Sep 10 14:09:06 CEST 2018
> To: General Discussion about Arch Linux <arch-general at archlinux.org>
> Cc: Levente Polyak <anthraxx at archlinux.org>
> Subject: Re: [arch-general] AppArmor support
>
>
> Nice to hear that you do or at least did, bear with me for
> overgeneralizing in in your case.
>
> However, the point of my whole response was that you are most
> definitively triggering/encountering the very same bug on the stock
> kernel, stock variant just tries to go ahead instead of panic, which
> means it may result in corruption and possibly killing kittens. Whatever
> is encountered there is at least a "regular regression" and possibly
> could provide surface for exploitation.
>
> If you are not using linux-lts you are pretty much using the very same
> stable branch/tag in linux-hardened that vanilla linux uses so there is
> no "different stable kernel branch". If former is the case you can
> pretty much blame vanilla linux package to an equal amount as the
> hardened variant for being buggy.
>
> cheers,
> Levente
>
I think you may consider disabling CONFIG_PANIC_ON_OOPS in linux-hardened
default config. Preventing users from being able to debug and report their
issues upstream or even discouraging them from using linux-hardend at all is
quite a big cost of it. Asking users to recompile their kernels every time they want
to investigate their issues is also a little too much.
There is "oops=panic" cmdline which everyone can use and which is much more
flexible to switch between debug/non-debug mode than recompiling. I don't think
adding something to cmdline is beyond capabilities of Arch users, especially if
they're interested in security.
Yours sincerely
G. K.
More information about the arch-general
mailing list