grsecurity forums

[jlambrecht]

Does anyone have experience with the scenario in subject. When i think about it i cannot come to the conclusion it makes sense or not. Mostly because most patches affect security, others performance, some may add features or other.

Using vanilla kernel sources > applying grsec patch > applying distro specific patches.

[N8Fear]

That's more or less what's Gentoo's hardened-sources are (actually more like vanilla+distro-patches + grsec + more (hardened related) distro patches). I guess you may want to review if you need the distro specific patches: If you don't need them, leave them out, if they may have security implications, leave them out...
You can even do so on a "per patch" base.
But I dare to say that most likely the distro patches aren't inherently more insecure than the vanilla kernel ifself...

[jlambrecht]

I should have explained better.

grsec requires one to use a vanilla kernel to patch a distro supplied kernel, which has often received extra patches. So my question was if using a vanilla kernel + grsec patch then patch it with distro supplied patches would result in a working kernel or not. Since apparently distro patches may interfere with grsec stability and reliability.

[N8Fear]

My answer still holds: unless you're going to get more specific on "distro patches" there is no one here that can tell you anything.
Generally: you should either review the distro patches or you need to rely on trust: bugs can be introduced everywhere may it be in the vanilla sources or in the patches. You may even get merge errors on distro patched sources (if the distro patches and grsec touch the same line of the same file) which you need to resolve yourself if it happens.
Therefore the easiest way would be to either use vanilla or a hardened distro kernel.
Otherwise you could state which distro patches you're actually talking about in which case you could hope that someone here comes forward that has experience with your combination.

[jlambrecht]

I'm not sure if we understand each other at all. Was i not clear in explaining the distro patches are those for the kernel. Usually a distro uses the vanilla kernel and add their own patches. These are the patches i'm referring to.

When i apply grsec to a distro supplied kernel source there is a warning to not continue, then it aborts ( sorry, it's been a while, may be different scenario ) When i chose to ignore this warning it did not work out well. Then i got the vanilla kernel source, applied the grsec patch which worked fine. Hence my only question is if on a grsec-patched vanilla kernel source tree it would be recommendable to patch this kernel with the patches i refer to as distro patches and get away with it.

Maybe this is a non-question, it is quite a simple question really.

[N8Fear]

I think I did understand you. There are essentially two issues:
- Two patches are incompatible as they touch the same lines. These are the warnings/aborts you are talking about. They require you (or someone else) to manually resolve them (there should be a .rej file which contains what would have been applied through the failed patch). These merges are sometimes easy and sometimes difficult. There is no way anyone here can tell you what it is unless you post (or link) the patch.
Therefore you can save yourself some pain if you first do an assessment if the distro patch is actually needed. If it e.g. adds an device driver for a device you don have or use you'll be better of if you just skip it.
- The other issue is on a functional level: a patch may do stuff that is inherently insecure or incompatible with grsec. In this case it'd also be wise to do an assessment if you actually need that patch.

[jlambrecht]

Okay, still, this is way more in-depth than the approach i'd foreseen. I had only three scenario's in mind, not evaluating patch by patch. Unless you're volunteering

1. Vanilla source from kernel.org + grsec patch applied ( as is the recommended approach )
2. Distro source ( vanilla + distro patches ) + grsec patch ( throws a warning/error because it is not vanilla source )
3. Vanilla source + grsec patch + distro patches ( untested and as you suggest most likely food for n00b frustrations )

Anyway, i now know as much as when i posted the question. Thank's anyway i did pick up a little along the way.