Feature #8604

Evaluate a grsec kernel from corsac's APT repository in Tails

Added by intrigeri 2015-01-08 11:47:20 . Updated 2016-01-05 16:46:59 .

Status:
Rejected
Priority:
Normal
Assignee:
Category:
Target version:
Start date:
2015-01-08
Due date:
% Done:

0%

Feature Branch:
Type of work:
Code
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

corsac’s repo lives there: http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/

The testing procedure is roughly the same as for Feature #8600, except that instead of adding .deb’s to config/chroot_local-packages/, one should add corsac’s repo to config/chroot_sources, and maybe tweak APT pinning in config/chroot_apt/preferences.


Subtasks


Related issues

Related to Tails - Feature #8600: Evaluate a grsec kernel from spender's build service in Tails Rejected 2015-01-07
Related to Tails - Feature #8605: Compare Debian kernel configuration with the one used in Corsac's grsec kernels Rejected 2015-01-08

History

#1 Updated by intrigeri 2015-01-08 11:47:28

  • related to Feature #8600: Evaluate a grsec kernel from spender's build service in Tails added

#2 Updated by intrigeri 2015-01-08 12:16:26

  • related to Feature #8605: Compare Debian kernel configuration with the one used in Corsac's grsec kernels added

#3 Updated by intrigeri 2015-01-08 12:26:41

#5 Updated by intrigeri 2015-04-05 16:30:19

> See http://www.corsac.net/?rub=blog&post=1573

TL;DR:

  • Yves-Alexis has finally updated the packages in his personal APT repo. That’s still a 3.2 kernel.
  • Jessie’s kernel (3.16) isn’t a long-term branch, so there won’t be a grsec patch maintained for it
  • forward-porting grsec patches from 3.14 (long-term branch) to 3.16 isn’t trivial
  • Yves-Alexis has looked at Mempo’s custom kernel, and wasn’t more convinced by the build process than I was
  • Yves-Alexis will probably “solve” the problem for himself, and may stop publishing .deb’s; he is hesitating between tracking 3.14 and using 3.19 + upgrading until a new LTS branch appears

To sum up, Yves-Alexis’ APT repo can be useful for the initial evaluation of grsecurity in Tails, but it likely won’t cut it as a long-term solution.

#6 Updated by intrigeri 2015-05-27 10:54:23

Update from corsac on that topic: http://www.corsac.net/?rub=blog&post=1575

> * Yves-Alexis will probably “solve” the problem for himself, and may stop publishing .deb’s; he is hesitating between tracking 3.14 and using 3.19 + upgrading until a new LTS branch appears

Yves-Alexis has published scripts, configuration (and binary packages) for Linux 3.14.

> To sum up, Yves-Alexis’ APT repo can be useful for the initial evaluation of grsecurity in Tails, but it likely won’t cut it as a long-term solution.

That’s still the case.

#7 Updated by intrigeri 2015-06-12 22:07:22

If these kernels lack aufs support, but support overlayfs, then this work will need to be based on feature/8415-overlayfs.

#8 Updated by intrigeri 2016-01-05 16:47:00

  • Status changed from Confirmed to Rejected

Now that grsec landed in Debian, I guess this is not relevant anymore. Sorry if I got it wrong!

#9 Updated by intrigeri 2017-01-01 11:27:17

  • related to deleted (Feature #8415: Migrate from aufs to overlayfs)