All of lore.kernel.org
 help / color / mirror / Atom feed
From: Daniel Micay <danielmicay@gmail.com>
To: Rik van Riel <riel@redhat.com>, Shawn <citypw@gmail.com>,
	Kees Cook <keescook@chromium.org>
Cc: "Mathias Krause" <minipli@googlemail.com>,
	"Daniel Cegiełka" <daniel.cegielka@gmail.com>,
	"kernel-hardening@lists.openwall.com"
	<kernel-hardening@lists.openwall.com>
Subject: Re: [kernel-hardening] It looks like there will be no more public versions of PaX and Grsec.
Date: Wed, 03 May 2017 15:36:41 -0400	[thread overview]
Message-ID: <1493840201.2133.3.camel@gmail.com> (raw)
In-Reply-To: <1493837804.20270.10.camel@redhat.com>

[-- Attachment #1: Type: text/plain, Size: 2029 bytes --]

On Wed, 2017-05-03 at 14:56 -0400, Rik van Riel wrote:
> On Wed, 2017-05-03 at 12:50 +0800, Shawn wrote:
> 
> > The fragmentation of Android eco-system may be inevitable. The whole
> > chains is too long from ASOP/BSP/Vendors and it affect the security
> > fix being delivered to the end user. According to my own statistic
> > from my customers, there will be more than 7 millions of Android
> > phone
> > will be using some features of PaX/Grsec this year.
> 
> That is great news. I am glad to hear the hardening features
> are being used on that many phones.
> 
> Of course, given the fragmentation of the eco-system, the
> only thing that can get the hardening on all of the (new)
> phones in the future will be getting the hardening features
> into the upstream kernel.

Just worth noting that the upstream in this case almost always includes
the Android common kernel. There's still some baseline out-of-tree
Android code, although there's much less than there used to be so the
vast majority of the code these days is SoC vendor code needed by a non-
Android Linux distribution on those devices too.

That's forked into the SoC vendor kernels and then the device kernels if
applicable (some are device-specific, but some vendors like Sony have
moved to having a shared kernel and the Pixel / Pixel XL share a kernel
since they're basically the same thing). Google can also verify that
hardening is present via the Compatibility Test Suite if it can be
detected from an unprivileged userspace app. Hopefully they'll turn
passing their new privileged vts test suite into a requirement too so
they can test for kernel self protection features.

For example, Android devices are required to have perf_event_paranoid=3
even though it was rejected upstream for the time being. If a clearly
useful change is rejected, that doesn't mean Google won't add it to
their common kernel which will then propagate at least to new devices
from other vendors and their own first-party released devices.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 866 bytes --]

  reply	other threads:[~2017-05-03 19:36 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-26 21:05 [kernel-hardening] It looks like there will be no more public versions of PaX and Grsec Daniel Cegiełka
2017-04-26 22:04 ` Kees Cook
2017-05-01 22:01   ` Mathias Krause
2017-05-02  0:09     ` Rik van Riel
2017-05-02 14:46       ` Shawn
2017-05-02 18:55         ` Kees Cook
2017-05-03  4:50           ` Shawn
2017-05-03 18:56             ` Rik van Riel
2017-05-03 19:36               ` Daniel Micay [this message]
2017-05-04  5:45             ` Kees Cook
2017-05-04  6:47               ` Lionel Debroux
2017-05-05 19:54                 ` Kees Cook
2017-05-04 14:11               ` Shawn
2017-05-04 16:03                 ` Greg KH
2017-05-04 17:12                   ` Shawn
2017-05-04 17:23                     ` Greg KH
2017-05-02 21:16       ` Mathias Krause
2017-05-02 21:50         ` Casey Schaufler
2017-05-02 22:57         ` Kees Cook
2017-05-03 19:02         ` Rik van Riel
2017-05-03 19:27           ` Daniel Micay
2017-05-02  0:39     ` Olof Johansson
2017-05-02  0:44     ` Casey Schaufler
2017-05-02  0:54     ` Kees Cook
2017-05-11  1:24       ` PaX Team
2017-05-11 16:30         ` Daniel Micay
2017-05-11 18:02         ` Kees Cook
2017-05-12 11:34           ` Hunger
2017-07-31 13:38         ` Solar Designer
2017-05-02 11:11     ` David Gens
2017-05-02 21:27       ` Mathias Krause
2017-05-03  8:59         ` David Gens
2017-05-03 19:10           ` Rik van Riel
     [not found] <1788778362.1495506.1493751985632.ref@mail.yahoo.com>
2017-05-02 19:06 ` Lionel Debroux
2017-05-02 22:35   ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1493840201.2133.3.camel@gmail.com \
    --to=danielmicay@gmail.com \
    --cc=citypw@gmail.com \
    --cc=daniel.cegielka@gmail.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=minipli@googlemail.com \
    --cc=riel@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.