On Fri, 24 Jan 2014, Marko Randjelovic <[email protected]> wrote: > > I would also like this. Yesterday I started compiling 3.2.54 with grsec > > and PaX. A ready debian kernel(-source) with grsec and PaX would be > > fine. Currently I am distributing my special packages via my own > > repository - is there any concern when making it public (copyright, > > etc.)? > > I managed to do it from official kernel 3.2.51-1. I removed all > features/* patches without consideration because there were to many of > them (905). Than I had to remove many other patches to resolve > conflicts. If patch file f is patched consequently by patches p1, p2, > if patch p1 is removed, then p2 may fail.
The correct thing to do is just prepare a GRSecurity patch that applies on top of the Debian kernel patches. At one time (10+ years ago) I was maintaining patches for GRSecurity and LSM/SELinux and doing this for every new Debian kernel package and new version of GRSecurity and LSM/SELinux. http://packages.debian.org/jessie/linux-patch-grsecurity2 The above package looks like it needs some work. The description doesn't appear to have been updated since LSM became part of the main kernel tree and it references kernel 2.4.x. Really what this all depends on is having people in Debian with the spare time and kernel coding skill needed to just make the patches in question work. If the above package doesn't cleanly apply against the kernel you want to use then you could join in the coding work. I think that anyone who has enough skill in kernel issues that the absense of LSM hooks will provide them with an advantage when dealing with attackers should be able to do such coding easily. Marko it might be best if you have an off-list discussion with Laszlo about how his package doesn't meet your requirements and how you might help him with the coding. Laszlo, please don't take this as criticism. I know that maintaining such a kernel patch for Debian is a difficult project, you have to deal with two different upstreams that move at different speeds. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
