[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Minutes of the Debian linux-2.6 Group Meeting

On Thu, Nov 11, 2010 at 13:52:12 +0000, maximilian attems wrote:
> LSM: Enable AppArmor? as well as/instead of Tomoyo?
> ---------------------------------------------------
> As the LSM need to be built we can't enable them. This needs a technical
> solution were code can be disregarded as init sections or similar.
> AppArmor seems more popular as Opensuse and Ubuntu uses it. Technicaly
> Tomoyo is said to be cleaner.

What do you mean by "can't" here? You can build _all_ of them,
actually. The active LSM is just selected at boot-time through the
kernel command line arguments. If it's a concern over kernel size,
upstream specifically removed the ability to make the LSM modular,
so this means that no additional LSMs will ever be available in Debian?

> NX bit emulation and 32-bit mmap randomization
> ----------------------------------------------
> We don't want to carry intrusive patches.
> The NX patch was rejected as such by upstream and thus we won't take
> it either.

Why? These patches are well maintained, and touch areas of the kernel that
do not change much (making them very easy to merge). Why leave non-PAE
x86 users out in the code when so many other distros use some form of
this patchset? I've worked to make sure they only touch CONFIG_X86_32,
so they're extremely minimal.

> Currently we recommend PAE for bigger boxes but do not default to it.
> Action item by bwh and waldi to default Debian Installer to it
> and deprecate non PAE 686.

This sounds great, regardless.

> Upstream status of the other patch is unknown, maks will consult Kees.

In my mind, they[1] are a single patch -- the "32-bit mmap randomization"
is better named "ASCII Armor ASLR", which doesn't have much value,
IMO. The entropy is extremely low compared to upstream ASLR, but it would
be actually 0 if left out in the nx-emu case. As such, it is only enabled
on systems that are using nx-emu.

I intend to try to get it upstreamed, but it's pretty far down on my TODO



[1] http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation
    (this one is still missing one additional patch from me...)

[2] https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream%20Hardening

Kees Cook                                            @debian.org

Reply to: