> ---------------------------------------- > From: Levente Polyak via arch-general <arch-general@xxxxxxxxxxxxx> > Sent: Mon Sep 10 14:09:06 CEST 2018 > To: General Discussion about Arch Linux <arch-general@xxxxxxxxxxxxx> > Cc: Levente Polyak <anthraxx@xxxxxxxxxxxxx> > Subject: Re: AppArmor support > > > Nice to hear that you do or at least did, bear with me for > overgeneralizing in in your case. > > However, the point of my whole response was that you are most > definitively triggering/encountering the very same bug on the stock > kernel, stock variant just tries to go ahead instead of panic, which > means it may result in corruption and possibly killing kittens. Whatever > is encountered there is at least a "regular regression" and possibly > could provide surface for exploitation. > > If you are not using linux-lts you are pretty much using the very same > stable branch/tag in linux-hardened that vanilla linux uses so there is > no "different stable kernel branch". If former is the case you can > pretty much blame vanilla linux package to an equal amount as the > hardened variant for being buggy. > > cheers, > Levente > I think you may consider disabling CONFIG_PANIC_ON_OOPS in linux-hardened default config. Preventing users from being able to debug and report their issues upstream or even discouraging them from using linux-hardend at all is quite a big cost of it. Asking users to recompile their kernels every time they want to investigate their issues is also a little too much. There is "oops=panic" cmdline which everyone can use and which is much more flexible to switch between debug/non-debug mode than recompiling. I don't think adding something to cmdline is beyond capabilities of Arch users, especially if they're interested in security. Yours sincerely G. K.
