This is deeply concerning to me as someone who has relied on the grsec patchset for over a decade to sleep slightly better knowing how horrible our memory safety is.
That’s the main issue imho. Who cares if a better option is available if it requires an expert to configure/use? If there aren’t any mitigations on by default with sane default configuration then they might as well not exist.
For an end user sure, but it depends who your audience is. If as in this case the user is someone patching together a custom kernel for an OS it seems reasonable to expect that they either are or have access to experts.
Except that would go against what a lot of the more mainstream distros are doing. Most are SELinux (I know debian has it installed but disabled) and some are AppArmor (which is easier than SELinux/has some flaws), but if you are using grsecurity then you are either an expert or in a power-user leaning distro. That’s silly because grsecurity is the least management/config required and provides a lot of security for the ease of use. It would make more sense for the bigger distros to have grsecurity than SELinux, but SELinux is the corporate requirement in most spaces which is why it’s default in them.
The end result is that the people most likely to benefit from the ease of configuration of grsecurity (casual linux users) don’t really have access to it.
Honestly the state of embedded anything is pretty scary. I feel like it’s been more visible with embedded linux as there have just been issue after issue, mostly because it’s some large-scary-corporation taking a distro and trying to force it into the constraints of their already designed system. So much feels after the fact about the process. There was that embedded linux issue where the admin password was hardcoded on those netis routers. And from what it sounds, these companies approach trademarks/laws with the same care they approach security.
This is deeply concerning to me as someone who has relied on the grsec patchset for over a decade to sleep slightly better knowing how horrible our memory safety is.
Why do such critical security features continue to exist as a 3rd party patchset after 14 years instead of being integrated upstream?
Afaik it has issues with Xen and a few other things. Also, SELinux is ~better than grsecurity if configured correctly (which is much harder to do).
That’s the main issue imho. Who cares if a better option is available if it requires an expert to configure/use? If there aren’t any mitigations on by default with sane default configuration then they might as well not exist.
For an end user sure, but it depends who your audience is. If as in this case the user is someone patching together a custom kernel for an OS it seems reasonable to expect that they either are or have access to experts.
Except that would go against what a lot of the more mainstream distros are doing. Most are SELinux (I know debian has it installed but disabled) and some are AppArmor (which is easier than SELinux/has some flaws), but if you are using grsecurity then you are either an expert or in a power-user leaning distro. That’s silly because grsecurity is the least management/config required and provides a lot of security for the ease of use. It would make more sense for the bigger distros to have grsecurity than SELinux, but SELinux is the corporate requirement in most spaces which is why it’s default in them.
The end result is that the people most likely to benefit from the ease of configuration of grsecurity (casual linux users) don’t really have access to it.
Honestly the state of embedded anything is pretty scary. I feel like it’s been more visible with embedded linux as there have just been issue after issue, mostly because it’s some large-scary-corporation taking a distro and trying to force it into the constraints of their already designed system. So much feels after the fact about the process. There was that embedded linux issue where the admin password was hardcoded on those netis routers. And from what it sounds, these companies approach trademarks/laws with the same care they approach security.