-
-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grsec fix kernel version #25743
Comments
I suppose that would really only work for a limited time, as pinning to old kernel would stop you from receiving security updates to it... |
See also #25277. |
You could use https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec but there's no telling how long that'll keep going. |
Also, there's the issue of bugs in grsec/PaX itself: who'd you report them to and who'd be qualified to fix them? There have been serious bugs before, there's no reason to believe the last public test patch is "perfect". |
I definitely see some value in offering the latest grsec-patched kernel version, at least for a while. Is it a big maintenance burden to do that? |
Note: if this is revived, we probably shouldn't call it grsec(urity) anymore. |
Not sure how much it helps @mrobbetts but we do have the Copperhead kernel in nixpkgs (https://github.com/copperhead/linux-hardened). They integrate and update regularly and a lot of changes are based on PaX/grsec (Repo says "Changes from PaX / grsecurity are marked as such") |
I integrated minipli kernel (4.9.40-unofficial+grsec) using a custom module, compiling it right atm. I'll be able to tell more this week, I hope. |
Cool, curious to see how that goes :) |
After fiddling with the computer, it decided to work. $ uname -a If #25208 is fixed, I'll be very happy. It takes ages to compile. What should we do now, revive? |
You could just sent in a PR with a kernel derivation similar to that of Copperhead?! |
@evrim Did you want me to create the PR? |
@NeQuissimus I've used the following if you are interested in compiling. { stdenv, hostPlatform, fetchFromGitHub, perl, buildLinux, ...}@args: let kernelPath = + "/pkgs/os-specific/linux/kernel/"; branch = "4.9"; version = branch + ".40"; revision = "74213b1"; in import (kernelPath + "/generic.nix") (args // { inherit version; ignoreConfigErrors = true; extraMeta.branch = branch; modDirVersion = version + "-unofficial+grsec"; src = fetchFromGitHub { owner = "minipli"; repo = "linux-unofficial_grsec"; rev = revision; sha256 = "1rv345hciwc1mjz6r8wx8f0fqd4mkc84q36nna7xq1rlgml8m933"; }; kernelPatches = args.kernelPatches; features.iwlwifi = true; features.efiBootStub = true; features.needsCifsUtils = true; features.netfilterRPFilter = true; } // (args.argsOverride or {})) |
won't fix. |
Issue description
Hello,
How can I fix the kernel version and continue with the grsec kernel?
nixos-rebuild switch
building Nix...
building the system configuration...
error: Upstream has ceased free support for grsecurity/PaX.
See https://grsecurity.net/passing_the_baton.php
and https://grsecurity.net/passing_the_baton_faq.php
for more information.
(use ‘--show-trace’ to show detailed location information)
Steps to reproduce
Technical details
The text was updated successfully, but these errors were encountered: