Re: Minutes of the Debian linux-2.6 Group Meeting
On Thu, Nov 11, 2010 at 13:52:12 +0000, maximilian attems wrote:
> LSM: Enable AppArmor? as well as/instead of Tomoyo?
> ---------------------------------------------------
> As the LSM need to be built we can't enable them. This needs a technical
> solution were code can be disregarded as init sections or similar.
> AppArmor seems more popular as Opensuse and Ubuntu uses it. Technicaly
> Tomoyo is said to be cleaner.
What do you mean by "can't" here? You can build _all_ of them,
actually. The active LSM is just selected at boot-time through the
kernel command line arguments. If it's a concern over kernel size,
upstream specifically removed the ability to make the LSM modular,
so this means that no additional LSMs will ever be available in Debian?
> NX bit emulation and 32-bit mmap randomization
> ----------------------------------------------
> We don't want to carry intrusive patches.
> The NX patch was rejected as such by upstream and thus we won't take
> it either.
Why? These patches are well maintained, and touch areas of the kernel that
do not change much (making them very easy to merge). Why leave non-PAE
x86 users out in the code when so many other distros use some form of
this patchset? I've worked to make sure they only touch CONFIG_X86_32,
so they're extremely minimal.
> Currently we recommend PAE for bigger boxes but do not default to it.
> Action item by bwh and waldi to default Debian Installer to it
> and deprecate non PAE 686.
This sounds great, regardless.
> Upstream status of the other patch is unknown, maks will consult Kees.
In my mind, they[1] are a single patch -- the "32-bit mmap randomization"
is better named "ASCII Armor ASLR", which doesn't have much value,
IMO. The entropy is extremely low compared to upstream ASLR, but it would
be actually 0 if left out in the nx-emu case. As such, it is only enabled
on systems that are using nx-emu.
I intend to try to get it upstreamed, but it's pretty far down on my TODO
list[1].
Thanks,
-Kees
[1] http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation
http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization
(this one is still missing one additional patch from me...)
[2] https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream%20Hardening
--
Kees Cook @debian.org
Reply to: