Page MenuHomeSolus

linux-hardened
Closed, InvalidPublic

Description

Hi, It would be nice to get this package for a more secure os.

  • Name: linux-hardened
  • Project-Homepage: https://github.com/copperhead/linux-hardened
  • Why?: This patch is hardening the kernel, it is similar to the grsecurity patch which was open source but it isn't anymore. It is providing more security. And it would be nice to find a linux-kernel that is patched with linux-hardened in your repository. I am using Antergos at the moment, and in AUR I can get a patched Kernel with linux-hardened. But I would like to change my OS to Solus and its nice Desktop-Environment Budgie. So you can see this as an opportunity to get more people to Solus and to your community. It would be nice to get an easy way to install a more secure kernel for the mass.
  • Is it open source? Yes!
  • Github: https://github.com/copperhead/linux-hardened.git

Yours sincerely.

Event Timeline

Teewet created this task.Oct 13 2017, 6:56 PM
Teewet added a comment.EditedOct 13 2017, 7:31 PM

I do not understand why do you closed this task, it is not a duplicate. Grsec can't even added to the repository, because it is closed source now. Linux-hardened patch is open source! So do I understand right? My DIFFERENT package request will be closed, because it is a "duplicate" and will be added to another package request that is closed? Linux-hardened patch is NOT Grsec !

Tell me if I am wrong.

Yours sincerely.

Aite, chill out, it was just a pre-coffee mistake.

JoshStrobl reopened this task as Open.Oct 13 2017, 7:47 PM

Please rename this task !!!

Justin renamed this task from Package request to linux-hardened.Oct 14 2017, 3:25 AM
Teewet added a comment.EditedOct 14 2017, 9:28 AM

Aite, chill out, it was just a pre-coffee mistake.

I just felt fooled, if it was a pre-coffee mistake, then I am reassured and thanks for opening it again :)

Yours sincerely.

Well, I'm very happy that we're getting linux-hardened!!

Thanks a bunch to everyone!

@anaknaga Not sure where you got that impression. This is labeled Needs Triage, meaning it needs to be evaluated so we can determine if we will support it.

miwilc added a subscriber: miwilc.EditedOct 14 2017, 8:26 PM

Why do we need (to maintain) a new kernel if no one or an extremely small proportion of the users is going to be using it?
Solus has made exceptions for specialist software before but this is a bit much, I feel.

That said:
you can always create your own server with ferryd if you really need it to be distributed.

@miwilc I actually think there is no small amount of users that would welcome such an addition.
Interesting article about kernel security beyond bug fixing: https://lwn.net/Articles/662219/ and the Kernel Self Protection Project.

In T4751#84667, @miwilc wrote:

Why do we need (to maintain) a new kernel if no one or an extremely small proportion of the users is going to be using it?

Why no one of the users will be using it? At the moment no one is using it because most of the users dont know how to get it. For Debian, Ubuntu, Mint, .. , you have to compile this kernel yourself and this process we have to ease. Its all about getting a pre compiled hardened kernel to the mass, so that the user can just click and install it. Even a user who know how to patch this to the kernel wont do this every new release. In the case of support, it is possible to write an articel about the hardened kernel, so that users who visit the Solus website will see this. The more secure way is the right way nowadays.

Yours sincerely.

Hardened kernel also bring some constraints/limitations and might eventually increase support requests, complaints or decrease user-friendliness.
The target of Solus is mainstream desktop usage, not servers or highly secured workstations.

This being said I am not an expert and I have no clue on the effort required to set this up, maintain it and of the impact on the end-users so I don't mean this should be rejected or so, I simply mean that if other mainstream distributions do not propose such hardened kernels, there should be a reason.

I see already people getting confused the the boot manager, encryption, lts vs current kernel, or simply systemd services that are not enabled by default. Wouldn't this add some more complexity ?

I can understand how hard it can be to maintain a new kernel, but this kernel has so many advantages. Debian for example was maintaining the grsec patch but grsec is closed source now and they did not add a new one (I think, last time I used debian was a year ago). But Arch Linux is maintaining this hardened kernel https://www.archlinux.org/packages/?sort=&q=hardened&maintainer=&flagged=, yes their os is not really user friendly, for that there is Antergos. I was using Antergos with linux hardened kernel for like a year and there was no decreasing of user friendliness. I just do not like Antergos official desktop environments, I can install Budgie in Antergos but there are annoying bugs sometimes, with Solus (Budgie) I dont have, just working like a charm.

Yours sincerely.

miwilc added a comment.EditedOct 15 2017, 12:17 AM
In T4751#84716, @Teewet wrote:

I can understand how hard it can be to maintain a new kernel, but this kernel has so many advantages.

That statement is ambiguous and a hardened kernel usually has speed/performance issues but if you wish you can always compile (/package) and maintain it yourself.

Anyway, Instead of looking at the kernel, please consider using existing systemd security features to secure your system:

https://lwn.net/Articles/709755/
https://lwn.net/Articles/709764/
https://wiki.archlinux.org/index.php/User:Rdeckard/Secure_Systemd

Teewet added a comment.EditedOct 15 2017, 12:33 PM

It would be a pleasure for me to maintain it myself, but I have no time and I have to study more first. When I installed Antergos with hardened kernel there was no noticeable decreasing of the performance for me. My Intend is not to secure only my pc, I would like to bring the hardened kernel with an easy way to install, to the mass.

Some of your listed security features are integrated in the hardened kernel out of the box https://wiki.archlinux.org/index.php/Security#Kernel_hardening. A new user would not know how to secure systemd hisself, it would be easier if the new user find a way to just install.

Yours sincerely.

How many novice users would install a package like linux-kernel-hardened or something like that in the first place? How many of them would not know how to reboot into a regular kernel if "it doesn't work"?

I honestly don't know. I do know that installing the hardened kernel on Arch doesn't really change anything in terms of ootb user experience. But I'm far from an expert either, so I'll go with the flow.

@anaknaga How many novice users would install a package like linux-kernel-hardened or something like that in the first place?

I really don't know, how many novice users would install this package. But I hope someone who install Linux, is trying to learn more about Linux. How many novice users would even install Linux? Before they install Linux, they will try to learn how to install it. For my first days with Linux it wasn't different too, after I installed Linux my first time, my first questions were, do I need an antivirus software? How do I update Linux? Where I get another software? I don't think a novice user will install Linux-hardened-kernel, but I do believe, that humans who try something new, want to learn something new.

@anaknaga How many of them would not know how to reboot into a regular kernel if "it doesn't work"?

I don't know, but I know, every time Linux users do boot/reboot their system, they see GRUB.
And for changing the kernel while your system is online, you can use the graphical interface grub-customizer (it is in the repository).

I am always telling, lets take the security to the "mass", Solus is a famous Linux distro Distrowatch.org (Rank 6 atm), if the Solus Community, would start a campaign for Security. It would be a big step forward. A full new ISO with linux hardened kernel preinstalled would be the best idea ("Solus download" and next to first download "Solus hardened download", with a small articel about it), but this will never happen, I think.

Nice to see people discussing about this package, every time we add a new comment, this package request is shown in "Recent Activity" and more people of the community may read this.

Yours sincerely.

ikey closed this task as Invalid.Dec 11 2017, 2:41 PM
ikey added a subscriber: ikey.

Nice to see people discussing about this package, every time we add a new comment, this package request is shown in "Recent Activity" and more people of the community may read this.

That's all well and good, but that repo is clearly dead. Hasn't seen activity since May 16th. I'm not going to include a dead Linux fork as an option.
We already apply some hardening to our kernel and toolchain already (full RELRO, secure PLT, etc) - I don't see what else can come of this task so I'm closing it.
Our kernel also has hardening options (userptr, etc.) enabled out of the box.

That's all well and good, but that repo is clearly dead. Hasn't seen activity since May 16th. I'm not going to include a dead Linux fork as an option.
We already apply some hardening to our kernel and toolchain already (full RELRO, secure PLT, etc) - I don't see what else can come of this task so I'm closing it.
Our kernel also has hardening options (userptr, etc.) enabled out of the box.

Most users are actually not aware of that, myself included. Is there there any chance to make this more explicit on both the Solus site and the blog posts for the upcoming Solus 4 announcement?

I'm not sure who we're trying to appeal to by doing that? The site is pretty free of technical jargon, as we're not trying to appeal explicitly to Linux enthusiasts, rather, we're trying to be an OS for everyone.

It would be nice, if more security aspects will be merged to the vanilla kernel by default. I can't say anything against even if you do not add that repo or more security, for now you all do a nice job for Solus OS and for the community! , its your opinion and your work, so only you and your team can decide. But this repo is not dead, they continue to apply this patch to the latest kernel. It is just slowed down, because mostly they merged the work of grsecurity. The grsecurity team closed their source in April https://grsecurity.net/passing_the_baton.php and now they try to maintain it unassisted.

Yours sincerely.

I'm not sure who we're trying to appeal to by doing that? The site is pretty free of technical jargon, as we're not trying to appeal explicitly to Linux enthusiasts, rather, we're trying to be an OS for everyone.

When "shopping" for a product it certainly cannot hurt to have as much feature transparency as possible. It is not about marketing but about letting users know why Solus would be a safe choice, especially if there are short reason provided why some features are enabled and not others.

A note to anyone who reads this: Gentoo has also stopped shipping the grsecurity patches (https://www.gentoo.org/support/news-items/2017-08-19-hardened-sources-removal.html) but according to their blog post "userspace hardening and support for SELinux will of course remain in the Gentoo ebuild repository". Is there any userspace hardening in Solus and are there specific reasons why SELinux is banned for normal Solus usage? (https://dev.solus-project.com/R2156:8fe6083c7b6931c33df55bbc9332a2299dc0abe5)

Teewet added a comment.EditedJan 28 2018, 2:59 PM

Just wanted to say, latest commit was 3 days ago (https://github.com/copperhead/linux-hardened/commit/54c08027ad4704c97f1c423a1795cc12454df729).

When "shopping" for a product it certainly cannot hurt to have as much feature transparency as possible.

I totally agree with you the features of Solus OS should be more transparency.

The site is pretty free of technical jargon, as we're not trying to appeal explicitly to Linux enthusiasts, rather, we're trying to be an OS for everyone.

I really can not undestand what do you mean by "Linux enthusiasts", people who are new to your community, should know about the "technical jargon" too, its better to have it, even if its written in a small section of Solus. In Solus WIki it would fit perfectly. You are saying, that you are trying to be an OS for everyone, but exclude the "Linux enthusiasts". Did I understood right?

Be in mind, that your community has people who like to know about the "technical jargon". You are saying for everyone and these "Linux enthusiasts" are a part of your community too, so do not exclude them please. My intention is not to speak bad about you, I just try to convince you to reconsider your opinion.

And all who read that, I wish you a nice day.
Yours sincerely.