
Security things in Linux v4.8 - mynameislegion
https://outflux.net/blog/archives/2016/10/04/security-things-in-linux-v4-8/
======
AstralStorm
Now only if more of the RT patch landed in mainline I couldn't be happier.

~~~
Aissen
I'm curious. What do you need/are you using in the RT patch that isn't
mainline ?

------
0xmohit

      Now there is no (expected) way to bypass seccomp filters, and
      containers with seccomp filters can allow ptrace again.

~~~
AstralStorm
*until proven otherwise

------
micaksica
I'm curious what "PaX Team" thinks of this.

~~~
nullc
With the accessibility of these patches in the few distros that support them
falling further and further behind-- they're becoming increasingly
theoretical, and less interesting to hear commentary from.

E.g. [https://packages.gentoo.org/packages/sys-kernel/hardened-
sou...](https://packages.gentoo.org/packages/sys-kernel/hardened-sources)

~~~
creshal
What does their inability to fund continued development have to do with their
security competence?

~~~
mynameislegion
There is no relationship between the two.

~~~
nullc
Sadly, it isn't so-- the further from the vulgarities of production the
patches are the less realistic the experience gained from working with them.

I can tell you how to make a perfectly secure computer, grind it down and
launch it into the sun.

Part of the rest of the kernel communities complaints about many of these
changes is that they aren't sufficiently pragmatic for widescale use or long
term maintenance.

~~~
contingencies
PaX is a patch-set, that's fine. People who care enough about low level
security can apply it. The market for 'we care about security' is very large.
Unfortunately, it still doesn't intersect with 'popular', and at that level
one kernel team may be deploying to millions of machines. The mainline kernel
(as well as other OS kernels) have drawn features explored through PaX and its
predecessors slowly over time, and will likely continue to do so. Writing off
PaX as increasingly irrelevant because you personally can't configure it with
a button-click on your distro-of-choice simply reflects a profound ignorance
of the longer term technical and social environment in which it is developed.

~~~
grubles
It's becoming irrelevant possibly because you have to pay for stable patches
now:

"Grsecurity stable patch downloads are available to customers only."

edit: that's for grsec only, not PaX + grsec.

