On 9/9/18 10:26 PM, Carsten Mattner via arch-general wrote: > On 9/9/18, Gus <qty@xxxxxxxxxx> wrote: >> Linux-hardened doesn't support hibernation and i think it's overkill to >> use it on desktop. > > Not arguing in anyway for or against AppArmor, just another > data point regarding linux-hardened 4.17 and 4.18: > > I tried linux-hardened on two Intel machines, and it was less stable > than "linux". Some of the changes are probably invasive/destabilising, > which makes sense seeing how slowly and carefully the mitigations are > traveling via Kees Cook into Linus' tree. I didn't have stability > issues with the old linux-grsec packages, though to be fair those > were also way older major releases which may matter. > It is quite definitively equally stable as vanilla linux is, there is no crazy overly invasive stuff in hardened that would justify claiming otherwise. What you most likely encountered, like literally all other "instability" issues so far, is that with your setup you triggered a stock vanilla linux bug with the difference that hardened immediately shuts itself down for security reasons. These bugs are corruption and integrity related and shutting down follows "better safe then sorry" for the hardened variant. There are various kernel configs doing so, to name some: CONFIG_BUG_ON_DATA_CORRUPTION, CONFIG_DEBUG_LIST, CONFIG_DEBUG_SG and lots more including slab sanitizing/verifying specifically in combination with CONFIG_PANIC_ON_OOPS. Just a crazy idea but how about contributing back instead of just complaining? People on the bug tracker always help guiding how to report upstream or finding relevant commits. Yeah, i know it takes a while to compile, but it's not that complicated: - take a look at the panic in hardened - peek the code around it to find out which of the protective config values may have triggered it (if not already obvious from the panic) - reproduce on stock/vanilla kernel by building it including the responsible configs - report upstream using the gathered information of the vanilla kernel - bonus points for git bisecting the commit that broke it This would not only contribute to make hardened run on your or similar setups, all vanilla linux users would benefit by helping to fix a bug that can or does result in a corruption. cheers, Levente
Attachment:
signature.asc
Description: OpenPGP digital signature
