I'll try it the grsecurity Arch kernel this weekend, though. Is there an IRC / mailing list for its development? I do want to get involved at some point with policy creation, albeit I'm coming from a guy who has only contributed to Suse apparmor profiles and has never used the gr tools. I'll need to get some reading done...
Some initial impressions though, after reading the wiki pages, READMEs from the grsec site, and a new superuser posts about it:
1. They don't try to mainline it because they don't want parts in the mainline kernel, they want the whole package - and they perceive the kernel developers as security hostile. Honestly, my biggest issue with this project is that it looks like it can never become mainline, and thus it can never become popular. This is why I've always supported apparmor - it is flawed, it is insufficient, it breaks a lot, but it is better than nothing and usable. I have no gripes with it if the majority of the Arch ecosystem considers adopting it, though.
2. Is there a way to only use per subject policies, rather than user policies? For single user systems polkit and systemd already do the appropriate resource allocations to unprivileged users, the user profiles seem redundant in that context - usually the DAC policies of the packages themselves are more than sufficient, and what I really want is binary hardening and restricted policies so exploited network facing software can't start jacking the entire system. I get where they have value on, say, a huge LDAP server, where just having custom groups for each user class is insufficient.
3. I thought the stock kernel already does ASLR and has noexec page flags.
The profiles look very apparmor-esque, though, which is good. Trying to do any access control in SELinux makes me want to devour brains since mine melted. Network access controls are nice and fine grained...
Damn it, the more I'm reading about gr, I'm strongly regretting my writing it off years ago under the pretense "it is not mainline, it can never be serious". Kind of hypocritical to think the LSM model is a broken wreck and ridiculous while not considering out of tree security models that avoid using it.
Also, this is making me really want to think about switching my server to Arch from Debian just for the gr kernel.