Announcement

**fuzz** · 24 July 2016, 12:49 PM

What was wrong with keeping this in GrSecurity? Did they not accept the change?

**milkylainen** · 24 July 2016, 02:33 PM

Originally posted by fuzz View Post

What was wrong with keeping this in GrSecurity? Did they not accept the change?

What do you mean? The smaller diffset grsec has the better? Offloading small stuff into vanilla as acceptable size patchsets yields a more lightweight grsec and a select few nice things from grsec into vanilla Linux. Everybody wins.

**Guest** · 24 July 2016, 03:56 PM

Originally posted by milkylainen View Post

Everybody wins.

Except grsec, but eh. I'm still pretty unsure why they haven't pushed harder for mainlining their code (disabled by default, enabled at user disgression).
I seem to remember that they had issues with pluggable security modules thingy, but quite a bit of their code could be merged with vanilla behind few #ifdefs (okay, considerable ammount but still). Problem is probably politics, not code itself.

**fuzz** · 24 July 2016, 03:57 PM

Originally posted by milkylainen View Post

What do you mean? The smaller diffset grsec has the better? Offloading small stuff into vanilla as acceptable size patchsets yields a more lightweight grsec and a select few nice things from grsec into vanilla Linux. Everybody wins.

Sure, but that begs the question... why wasn't it in vanilla in the first place?

**caligula** · 24 July 2016, 05:49 PM

Originally posted by fuzz View Post

Sure, but that begs the question... why wasn't it in vanilla in the first place?

Extra code in the kernel seems to add bloat even if it's disabled in the config.

**DeepDayze** · 24 July 2016, 09:02 PM

Originally posted by caligula View Post

Extra code in the kernel seems to add bloat even if it's disabled in the config.

In most cases when a feature is disabled in Kconfig it means the module(s) for the feature is/are not built or added into the compiled kernel image if it is a builtin kernel feature, so not necessarily adding bloat.

**fuzz** · 24 July 2016, 09:40 PM

Regardless... I'm happy to see it mainlined

. Hope we can do the same with more security patches!

**milkylainen** · 25 July 2016, 05:34 AM

Originally posted by caligula View Post

Extra code in the kernel seems to add bloat even if it's disabled in the config.

Unfortunately, you're spot on with that comment. It is one of my major gripes with the Linux kernel.
Ie. The sheer amount of pork the kernel carries around that you just can't loose anymore.
A plain embedded kernel with absolutely zero features just besides running _this_ hardware and running a userspace is 100-200% larger than a fully functional late 2.6.x for example (which does the job).
Even if you disable everything besides mandatory drivers the kernel still is way, way fatter than it needs to be.

**caligula** · 26 July 2016, 08:59 AM

Originally posted by DeepDayze View Post

In most cases when a feature is disabled in Kconfig it means the module(s) for the feature is/are not built or added into the compiled kernel image if it is a builtin kernel feature, so not necessarily adding bloat.

Yes, the module isn't, but the other parts of the kernel had to be modified to make them compatible with this new feature. The kernel size is growing steadily even if you say N in the menuconfig.

Announcement

Hardened Usercopy Appears Ready To Be Merged For Linux 4.8

Hardened Usercopy Appears Ready To Be Merged For Linux 4.8

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment