[grsec] consider splitting grsecurity

Peter S. Mazinger ps.m at gmx.net
Mon Nov 8 07:51:03 EST 2004 

On Mon, 8 Nov 2004, John Logsdon wrote:

> While I can see arguments for separating grsec and PaX, I suggest instead
> a more sensible way forward.  This could include, for example, changing
> the CONFIG variables back to the PaX variable names or at least including
> the up-to-date PaX patches (almost) automatically.  Fragmentation of the
> code would lead to fragmentation of the community which is not a good
> idea.
> 
> What happens for example where a new version of the kernel 'breaks' some
> part of grsec or PaX (as I gather has happened in 2.6)?  Do you end up
> with a half-way house or is it not better to fix the issue?  
> 
> It depends on the source of the break.  If the origin of the break were in
> grsec or PaX then it should be fixed anyway.  
> 
> But if it is in the kernel and the kernel-managers (Linus, Alan etc) take
> the view that because grsec and PaX are not mainline kernel then that is
> not their problem, the argument would have to be made to change the
> kernel.  Separation of grsec from PaX would weaken this argument to
> correct the kernel 'error' because individual users could run one without
> the other and so may chose to reduce their protection.  ie the user group
> would have become fragmented.
> 
> There is also a problem in separating PaX from grsec as seen by the user.
> The gradm administration program already provides facilities to control
> both grsec and PaX.  What would happen for example if this were run on a
> kernel from which PaX had been excluded yet the appropriate subject flags
> had been included?  Appropriate checks could be inserted and these flags
> ignored with a warning message but the more fragmented both the kernel
> patches and administration code becomes the more difficult it becomes to
> maintain.
> 
> I recognise that there is an issue of developer community - which was
> essentially Brad alone but now with some help from Michael in userland -
> but there have been patches suggested by others incorporated and all
> projects need an overall project manager or again forking will occur.
> 
> For example, nothing really gets put into the vanilla kernels that doesn't
> have Linus' agreement even if the actual patches are written by others.  
> Given that grsec is a lot smaller than the kernel so most of the patching
> can be done by Brad who understands the code in complete depth, I don't
> see too much of a problem here.
> 
> In principle it must be better to keep the parts together but Peter's
> concerns are real.  There is a need to improve the maintainability to that
> grsec+PaX is always up to date from a PaX point of view.  That way we keep
> a community of users.  Separation is a route to fragmentation and
> division.

My real target is to have following situation:
if I patch a kernel w/ only pax and another w/ grsec, and diff these, I 
should see only the grsec part. There is only one place that can be 
argued for where accounting is left of for VM_MIRROR, that should have any 
CONFIG_PAX in it, the rest is not necessary and is prone to errors.I don't 
want to compare all the time a release is made (or the cvs) to see if 
something was missed, that happened too many times in the past.

I do not know cvs, but is it not possible to have 2 trees mixed, one 
containing only the pax part, and the full one containing both. The pax 
part can be maintained by the PaX Team, and the rest by Brad/others.

Peter

> My £0.02-worth anyway.
> 
> John
> 
> John Logsdon                               "Try to make things as simple
> Quantex Research Ltd, Manchester UK         as possible but not simpler"
> j.logsdon at quantex-research.com              a.einstein at relativity.org
> +44(0)161 445 4951/G:+44(0)7717758675       www.quantex-research.com
> 
> 
> On Sun, 7 Nov 2004 spender at grsecurity.net wrote:
> 
> > > well, then check your diffs, because you have much left out from current 
> > > pax. That's why I say, split it. PaX is maintained separately. There is 
> > > almost no conflict between PaX and the rest of grsec, only where you 
> > > decided to not account from VM_MIRROR (and that haven't changed much in 
> > > the last time), so that conflict can be easily adapted (not considering 
> > > the changes you have done not using asm/page.h and similar, changed to 
> > > use grsecurity/Config.in instead of what was provided by 
> > > PaX, but that does not change any functionality), and it's more accurate, 
> > > consider only the fact that some time ago some PaX option that was
> > > allowed only on 586_TSC was possible on grsec w/o this condition, 
> > > producing some noise/failures.
> > 
> > I've gone through an entire check of the differences between grsec and 
> > PaX and copied over the changes (page.h, fixed pageexec config, amd64, 
> > mips, mips64, ia64 support).
> > 
> > -Brad
> > _______________________________________________
> > grsecurity mailing list
> > grsecurity at grsecurity.net
> > http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> > 
> 
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
> 
> 

-- 
Peter S. Mazinger <ps dot m at gmx dot net>           ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08  BB6E C389 975E A5F0 59F2

More information about the grsecurity mailing list