Feature #8604: Evaluate a grsec kernel from corsac's APT repository in Tails

Feature #8604

Evaluate a grsec kernel from corsac's APT repository in Tails

Added by intrigeri 2015-01-08 11:47:20 . Updated 2016-01-05 16:46:59 .

Status:

Rejected

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

2015-01-08

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Deliverable for:

Description

corsac’s repo lives there: http://molly.corsac.net/~corsac/debian/kernel-grsec/packages/

The testing procedure is roughly the same as for ~~Feature #8600~~, except that instead of adding .deb’s to config/chroot_local-packages/, one should add corsac’s repo to config/chroot_sources, and maybe tweak APT pinning in config/chroot_apt/preferences.

Subtasks

Related issues

Related to Tails - ~~Feature #8600~~: Evaluate a grsec kernel from spender's build service in Tails	Rejected	2015-01-07
Related to Tails - ~~Feature #8605~~: Compare Debian kernel configuration with the one used in Corsac's grsec kernels	Rejected	2015-01-08

History

#1 Updated by intrigeri 2015-01-08 11:47:28

related to ~~Feature #8600~~: Evaluate a grsec kernel from spender's build service in Tails added

#2 Updated by intrigeri 2015-01-08 12:16:26

related to ~~Feature #8605~~: Compare Debian kernel configuration with the one used in Corsac's grsec kernels added

#3 Updated by intrigeri 2015-01-08 12:26:41

related to ~~Feature #8415~~: Migrate from aufs to overlayfs added

#4 Updated by BitingBird 2015-03-30 22:52:35

See http://www.corsac.net/?rub=blog&post=1573

#5 Updated by intrigeri 2015-04-05 16:30:19

> See http://www.corsac.net/?rub=blog&post=1573

TL;DR:

Yves-Alexis has finally updated the packages in his personal APT repo. That’s still a 3.2 kernel.
Jessie’s kernel (3.16) isn’t a long-term branch, so there won’t be a grsec patch maintained for it
forward-porting grsec patches from 3.14 (long-term branch) to 3.16 isn’t trivial
Yves-Alexis has looked at Mempo’s custom kernel, and wasn’t more convinced by the build process than I was
Yves-Alexis will probably “solve” the problem for himself, and may stop publishing .deb’s; he is hesitating between tracking 3.14 and using 3.19 + upgrading until a new LTS branch appears

To sum up, Yves-Alexis’ APT repo can be useful for the initial evaluation of grsecurity in Tails, but it likely won’t cut it as a long-term solution.

#6 Updated by intrigeri 2015-05-27 10:54:23

Update from corsac on that topic: http://www.corsac.net/?rub=blog&post=1575

> * Yves-Alexis will probably “solve” the problem for himself, and may stop publishing .deb’s; he is hesitating between tracking 3.14 and using 3.19 + upgrading until a new LTS branch appears

Yves-Alexis has published scripts, configuration (and binary packages) for Linux 3.14.

> To sum up, Yves-Alexis’ APT repo can be useful for the initial evaluation of grsecurity in Tails, but it likely won’t cut it as a long-term solution.

That’s still the case.

#7 Updated by intrigeri 2015-06-12 22:07:22

If these kernels lack aufs support, but support overlayfs, then this work will need to be based on feature/8415-overlayfs.

#8 Updated by intrigeri 2016-01-05 16:47:00

Status changed from Confirmed to Rejected

Now that grsec landed in Debian, I guess this is not relevant anymore. Sorry if I got it wrong!

#9 Updated by intrigeri 2017-01-01 11:27:17

related to deleted (~~~~Feature #8415~~: Migrate from aufs to overlayfs~~)