Originally posted by unixfan2001
View Post
Announcement
Collapse
No announcement yet.
GrSecurity Kernel Patches Will No Longer Be Free To The Public
Collapse
X
-
Originally posted by oiaohm View Post
Yes upstream responded with break those patches up and resubmit.
Yes the kernel self protection project is being able to break up GrSecurity features and submit them interdependently. Yes they are not as well optimised as GrSecurity ones. Optimisation can come latter.
GrSecurity could be a jackass and not submit mainline while they did not have competition attempting to do the same things. You think about it you only have enough funds to either support GrSecurity or Kernel Self Protection Project. The Kernel Self Protection Project the fact it going up stream and peer reviewed its going to draw some peoples attention.
The price of not being at least partly mainline it left the door open to competition.
I am inclined to believe that what is now upstreamed is not enough, and spender is right when he claims that the people upstreaming his patches do not understand them and how they interrelate.
Comment
-
Originally posted by TheBlackCat View Post
Citation needed. A patch doesn't actually have to have any kernel code in it, and even if it does it may fall under an interoperability exception.
- Likes 3
Comment
-
Originally posted by TheBlackCat View Post
Citation needed. A patch doesn't actually have to have any kernel code in it, and even if it does it may fall under an interoperability exception.
Fact of the matter is: If something is being used to patch or link against the kernel, GPL suits and Linux developers consider it a derived work of the kernel.
The idea here is that, once compiled, it's all one binary so the free parts and the non-free parts collide.
Ditto for every GPLd library (with the exclusion of certain system libraries) being used by a client application. If product A links against library B (statically or dynamically, doesn't matter), they're considered to share the same context, thus product A is a derived work of library B.
- Likes 2
Comment
-
Originally posted by ssokolow View Post
As I understand it, legal precedent basically paraphrases to "Patches are derived works because they aren't sufficiently useful without being applied to the base work."
Comment
-
Originally posted by Wilfred View PostAs spender has noted, there are lots of aslr breaks against the vanilla linux kernel to which grsecurity is not vulnerable.
I am inclined to believe that what is now upstreamed is not enough, and spender is right when he claims that the people upstreaming his patches do not understand them and how they interrelate.
Interrelated is a huge excuse. Claiming interrelated means you cannot take the patch set apart and apply 1 feature at a time. For debugging multi platform.
Interrelated is a key one for mainlining. If patches are not mainline when mainline changes they can introduce security faults as well.
I just hit almost the same issue as #14363 (mine reads "ApplyLayer exit status 1 stdout: stderr: chmod /bin/mount: permission denied") , also under Gentoo. It is related to the use of the kernels b...
Now do you see the design fault here.
If you had read about seccomp sandboxing you would see the design fault.
chroot_deny_chmod and chroot_deny_mknod are system wide global things. So those patches as is going mainline in their current form are unlikely to be accepts.
Think for a case where you need 1 chroot with those features you have to disable the grsecurity feature for all the chroots you are using.
Seccomp jail can do the same job on a case by case.
The biggest security defect with grsecurity patches is that they are built on the design of total integrated solution with no allowance for people having to do limited rule breaking.
Upstream wants each feature from grsecurity to stand independently for very good reasons. The number of controls added to turn features globally on and off in grsecruity is a major fault.
Sorry allowing the interrelated excuse for not breaking up patches has to end. If the alteration can work by itself its not interrelated it is only an enhancement.
Really grsecurity supporting people need to stop throwing stones. Reality there are example after example of people having to over lower security to-do things with a grsecurity kernel because of too much of an all or nothing design.
- Likes 1
Comment
-
Originally posted by oiaohm View PostProblem is you only need to ask yourself a few basic questions.
Grsecurity have been heavily x86 focused and are still very x86 focused.
Notice mips, arm, arm64, powerpc . x86. KSPP is multi cpu coverage this is from working upstream to get stuff into mainline so putting the alterations in front of those dealing with other systems.
waah waah grsecurity people don't want to make patches for other archs waah waah they are baaad waah waah.
They write stuff, they can decide to not care about archs they don't use/like/whatever. This isn't a proof of any wrongdoing, it's not breaking any rule.
https://forums.grsecurity.net/viewtopic.php?f=7&t=4476
If you want to see jackass read this carefully.
Update: shortly after this post, yet another kernel infoleak was posted. This particular one has been fixed already in grsecurity the same way since August of 2012.
So for 4 years grsecurity knows about a security fault and never sends to mainline.
Its a 2 line change. The grsecurity guys cannot point to where in 2012 they put a patch up to the Linux kernel and it was rejected. Because they never did.
They didn't fix that specific infoleak and are not mainstreaming sources because they are somewhat evil, they prevented any infoleak with their own system even if they don't know where is the bug that caused the infoleak in the first place. You know what is supposed to do the KSPP? That's what it is supposed to do.
Does it do that? I see articles saying it does not fare that well, they are dug out by grsecurity, but the articles themselves are valid.
Lot of issues of grsecruity leaving people security exposed and them doing nothing to correct it.
Every time they get smart ass pointing out flaws you see a lot of fixes appear in the Linux kernel so meaning they cannot sell that as unique features any more.
Yes grsecruity are upset that other people are merging features they developed but they also never attempt to merge those features. So stiff you want credit you should have submitted your features mainline then someone else could not steal your thunder.
I really don't care of most of the waah waah you post, I need proof that what is in the kernel is decent enough.
Comment
-
Originally posted by W.Irrkopf View PostActually no (not in this case): You'd be correct as far as GPLv3 is concerned - but with GPLv2 (and the Linux kernel is v2 only, not v2+) once you distribute a derived work, *everyone* is entiteled to receive the souce from you.
The situation gets less clear in case they provide only patches with no context to their customers.
3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
There is no requirement to share your source with anyone, only with those that receive a copy of it from you. So they only need to provide source code to customers to follow GPLv2 requirements.
The only license that requires that you send sources to more or less anyone is the AGPL (Affero GPL) that forces you to provide source of the AGPLed stuff on the server to any clients requesting it.
Comment
-
Originally posted by TheBlackCat View PostIANAL, but I am pretty sure the patches are not automatically under the GPL. The GPL only applies to the source of software someone distributes. The patches themselves are not software, so they are the work of the company and can be under whatever license they want. I think the only situation where the patches would be under the GPL is if they are considered derivative works, but depending on the patch format there may be none of the original kernel code in them, and even if there was some there are some allowances to use portions of copyrighted works for the sake of interoperability (although those seem kind of fuzzy)
And that would mean that even if the company provided patched binaries, they wouldn't need to provide the actual stand-alone patches, although customers could reverse-engineer them by diffing the original sources with the patched ones (but they wouldn't be able to include the company patch descriptions or patch names).
Again, IANAL, but that is the impression I have gotten.
Originally posted by peppercats View PostAny subscribed customers could release the patches as they're required to distribute the source with any binaries…
This is an arrangement even the FSF has reviewed and approved upon, as that agreement is essentially a contract between two entities (client and vendor) that is not curtailed from overriding the GPL.
That's effectively BSD'ing (Bull-Shit Distributing?) GPL.Last edited by ArchLinux; 21 May 2017, 06:42 AM.
Comment
-
Originally posted by ArchLinux View Post"Your impression" is missing the point there, as any patch that is based on a GPL source must also be GPL compatible. It's not "standalone" if it's a patch to a product, and not its own product.
Comment
Comment