Re: AppArmor support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



> ----------------------------------------
> From: Levente Polyak via arch-general <arch-general@xxxxxxxxxxxxx>
> Sent: Mon Sep 10 14:09:06 CEST 2018
> To: General Discussion about Arch Linux <arch-general@xxxxxxxxxxxxx>
> Cc: Levente Polyak <anthraxx@xxxxxxxxxxxxx>
> Subject: Re:  AppArmor support
> 
> 
> Nice to hear that you do or at least did, bear with me for
> overgeneralizing in in your case.
> 
> However, the point of my whole response was that you are most
> definitively triggering/encountering the very same bug on the stock
> kernel, stock variant just tries to go ahead instead of panic, which
> means it may result in corruption and possibly killing kittens. Whatever
> is encountered there is at least a "regular regression" and possibly
> could provide surface for exploitation.
> 
> If you are not using linux-lts you are pretty much using the very same
> stable branch/tag in linux-hardened that vanilla linux uses so there is
> no "different stable kernel branch". If former is the case you can
> pretty much blame vanilla linux package to an equal amount as the
> hardened variant for being buggy.
> 
> cheers,
> Levente
> 

I think you may consider disabling CONFIG_PANIC_ON_OOPS in linux-hardened
default config. Preventing users from being able to debug and report their
issues upstream or even discouraging them from using linux-hardend at all is
quite a big cost of it. Asking users to recompile their kernels every time they want
to investigate their issues is also a little too much.

There is "oops=panic" cmdline which everyone can use and which is much more
flexible to switch between debug/non-debug mode than recompiling. I don't think
adding something to cmdline is beyond capabilities of Arch users, especially if
they're interested in security. 

Yours sincerely

G. K.



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux