Downsides to a grsec install script?

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

Moderators: spender, PaX Team

Downsides to a grsec install script?

Postby dmix » Thu Sep 18, 2014 1:19 pm

I'm interested in helping expand the adoption of GRSecurity. Install scripts would make it much easier. But are there some obvious downsides to scripts or packages? I assume security and trust is the biggest concern.

I came across this for Debian: https://github.com/rickard2/grsecurity-Debian-Installer

And Arch has popular packages: https://aur.archlinux.org/packages/linux-grsec-lts/

I have a personal preference towards Fedora and I was thinking of either creating one for that distro. Maybe I should stick to writing blog post tutorials for manual builds?
dmix
 
Posts: 4
Joined: Tue Sep 16, 2014 10:20 pm

Re: Downsides to a grsec install script?

Postby strcat » Fri Sep 19, 2014 2:42 am

I think the best thing you could do is maintain a source package for the distribution based on their vanilla kernel package and create a list of PaX exceptions. Making a binary package available is worthwhile, but third party binary packages are a bit sketchy unless you've built a good reputation in the community.

By the way, Arch Linux has an official grsecurity package in addition to that LTS one in the AUR:

https://www.archlinux.org/packages/comm ... nux-grsec/
https://wiki.archlinux.org/index.php/Grsecurity

The downside to a binary package is missing out on the RANDSTRUCT and HIDESYM features. However, binary packages mean more users, and those users will improve the experience for everyone by finding bugs like SIZE_OVERFLOW false positives. Many people aren't interested in compiling a custom kernel, especially on old / embedded / mobile hardware.

Arch makes it easy to build a custom version of an official package so it's strictly better than not having one. The binary package makes it very easy to try out grsecurity and then the underlying source package makes it trivial to build a custom kernel that's properly integrated into the distribution. The same thing will apply to the NixOS grsecurity implementation, but I don't think they're at the point where there's a binary package.

It would be awesome if there were official packages for more distributions, but there's a lot of politics involved. It only ended up in the Arch repositories because I'm stubborn and went ahead with adding it despite it being a very contentious issue.
strcat
 
Posts: 20
Joined: Tue Jun 10, 2014 12:22 pm

Re: Downsides to a grsec install script?

Postby timbgo » Wed Oct 01, 2014 12:00 pm

dmix wrote:I came across this for Debian: https://github.com/rickard2/grsecurity-Debian-Installer

And Arch has popular packages: https://aur.archlinux.org/packages/linux-grsec-lts/




Pls. see references to some of the pages above here:


will be learning from you #6
https://github.com/rickard2/grsecurity- ... r/issues/6

and here:
Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php? ... 93#p555093

Thanks everybody for contributing to grsecurity, even with spreading the word, which is not the least important of ways considering all the forces against FOSS today,

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
timbgo
 
Posts: 295
Joined: Tue Apr 16, 2013 9:34 am
Location: Zagreb, Croatia


Return to grsecurity support

cron