Page MenuHomeSolus

Provide grsec kernel and pax tools as alternative kernel install
Closed, WontfixPublic

Description

I'd like to see Solus providing an alternative kernel compiled with the grsec patch, and pax tools. I realise this might be out of the scope of what the developers want to do with Solus (pure focus on performance on desktop linux).

However, with the internet becoming a more dangerous place every day, and linux handling security rather miserably (see i.e. https://www.youtube.com/watch?v=-T1LoHTZDvs) I feel that providing more security for the desktop is paramount (even beyond providing Wayland and firejail), even if it cannot be provided out of the box because of decreased usability and performance, even though it honestly doesn't decrease performance by so much. Also, it shouldn't be much of a maintenance overhead to provide these patches, once available, for the maintainers (I think?).

This task is just to poll interest from the community and developers for what I consider an issue which should have been at least partially solved by (cough) the linux kernel team long ago. But then again I'm a little bit paranoid. Thanks.

Event Timeline

Well tbf grsec have had plenty time to upstream their work into Linux, but they didn't. And when they're finally nagged into it, they put in massive patch sets that change huge amounts of the kernel subsystems in a way that makes them impossible to manage. The Linux kernel has a proper review process with mailing lists, nobody is stopping grsec from upstreaming this work.

We're also not in a position whereby we can current provide multiple kernels, so this can remain blocked for evaluation until CBM is integrated

I completely agree. The grsec guys should have upstreamed their patches, or at least attempted to work with upstream. For me as a user it is becoming increasingly important however to use a more secure operating system, especially in these weird times. I would be able to contribute to pax flags for most of the software in Solus, when the time comes that CBM is integrated. I think patching and building the kernel itself is relatively easy, although I'm far from an expert.

Thanks for considering this in any case!

Yeah the new kernel package builds are much simpler than the old ones, here's the current template we'll use post CBM: https://git.solus-project.com/packages/linux-lts/tree/package.yml

Much of it is actually boilerplate, and I'll very likely condense most of that into ypkg macros.

ikey closed this task as Wontfix.Apr 27 2017, 5:28 AM
ikey claimed this task.

Please note it is now no longer possible to provide a grsec kernel as they seem to have withdrawn even further from the kernel: http://phoronix.com/scan.php?page=news_item&px=GrSecurity-No-Longer-Free