* Backporting stacked security patch
@ 2018-10-30 11:43 Lev Olshvang
2018-10-30 14:33 ` Greg KH
0 siblings, 1 reply; 5+ messages in thread
From: Lev Olshvang @ 2018-10-30 11:43 UTC (permalink / raw)
To: kernelnewbies
Hi All,
I week ago I asked the list about kernel 4.2 stacked security patch location , but
Greg strongly advised me against, without going into details.
I highly appreciate Greg advice, and I know he is a very busy person.
Unfortunately I do not have a choice to upgrade kernel, and I am asking again :
- what are major challenges of a such backport ?
Does kernel security changed so much between 3.18 and 4.2 ?
The link is https://kernelnewbies.org/Linux_4.2#Stacking_of_security_modules
Regards, Lev
^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch
2018-10-30 11:43 Backporting stacked security patch Lev Olshvang
@ 2018-10-30 14:33 ` Greg KH
2018-10-30 18:19 ` Lev Olshvang
0 siblings, 1 reply; 5+ messages in thread
From: Greg KH @ 2018-10-30 14:33 UTC (permalink / raw)
To: kernelnewbies
On Tue, Oct 30, 2018 at 02:43:12PM +0300, Lev Olshvang wrote:
> Hi All,
>
> I week ago I asked the list about kernel 4.2 stacked security patch location , but
> Greg strongly advised me against, without going into details.
> I highly appreciate Greg advice, and I know he is a very busy person.
> Unfortunately I do not have a choice to upgrade kernel, and I am asking again :
> - what are major challenges of a such backport ?
> Does kernel security changed so much between 3.18 and 4.2 ?
$ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l
48573
That's over 48 thousand changes between those kernels. That's a
non-trivial thing to review and backport only parts of it.
And if you were to backport only parts of it, then you would be dealing
with a kernel that only you can support, not the company/vendor that is
forcing you to stick with 3.18. Why not ask them to do this work for
you as they are the ones you are paying for this type of work already?
Also, why 3.18? That's a very old and obsolete kernel already, never
use that for any new type of device, you are guaranteed to have problems
with it as I'll probably stop doing security updates for it any week
now...
good luck!
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch
2018-10-30 14:33 ` Greg KH
@ 2018-10-30 18:19 ` Lev Olshvang
2018-10-30 21:17 ` valdis.kletnieks at vt.edu
2018-10-31 6:50 ` Greg KH
0 siblings, 2 replies; 5+ messages in thread
From: Lev Olshvang @ 2018-10-30 18:19 UTC (permalink / raw)
To: kernelnewbies
Hi Greg,
Thanks for a reply.
While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,.
There are 7 commits, and 2 of them is about comments and one about file deletion.
I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in
SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed.
So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor
stacking
Perhaps I am overlooking some basic issue ?
As I stated, I have no option to come to customer and ask to upgrade his kernel, but I will try to put his attention to mentioned by you cease of security updates.
Best Regards
Lev
30.10.2018, 17:32, "Greg KH" <greg@kroah.com>:
> On Tue, Oct 30, 2018 at 02:43:12PM +0300, Lev Olshvang wrote:
>> ?Hi All,
>>
>> ?I week ago I asked the list about kernel 4.2 stacked security patch location , but
>> ?Greg strongly advised me against, without going into details.
>> ?I highly appreciate Greg advice, and I know he is a very busy person.
>> ?Unfortunately I do not have a choice to upgrade kernel, and I am asking again :
>> ?- what are major challenges of a such backport ?
>> ?Does kernel security changed so much between 3.18 and 4.2 ?
>
> $ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l
> 48573
>
> That's over 48 thousand changes between those kernels. That's a
> non-trivial thing to review and backport only parts of it.
>
> And if you were to backport only parts of it, then you would be dealing
> with a kernel that only you can support, not the company/vendor that is
> forcing you to stick with 3.18. Why not ask them to do this work for
> you as they are the ones you are paying for this type of work already?
>
> Also, why 3.18? That's a very old and obsolete kernel already, never
> use that for any new type of device, you are guaranteed to have problems
> with it as I'll probably stop doing security updates for it any week
> now...
>
> good luck!
>
> greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch
2018-10-30 18:19 ` Lev Olshvang
@ 2018-10-30 21:17 ` valdis.kletnieks at vt.edu
2018-10-31 6:50 ` Greg KH
1 sibling, 0 replies; 5+ messages in thread
From: valdis.kletnieks at vt.edu @ 2018-10-30 21:17 UTC (permalink / raw)
To: kernelnewbies
On Tue, 30 Oct 2018 21:19:08 +0300, Lev Olshvang said:
> As I stated, I have no option to come to customer and ask to upgrade his
> kernel, but I will try to put his attention to mentioned by you cease of
> security updates.
If you can't get him to upgrade the installed kernel, it's not worth your effort
to backport patches. And just updating the patches to the 4.2 level doesn't
do your customer any favors, as there's been a lot of security patches
between 4.2 and 4.19.
And many of the important ones do *NOT* apply to the security/ branch of
the tree - it's stuff like the Spectre fixes that show up elsewhere in the tree,
networking fixes that resolve "packet of death" issues, and so on.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20181030/70f0f4ef/attachment.sig>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Backporting stacked security patch
2018-10-30 18:19 ` Lev Olshvang
2018-10-30 21:17 ` valdis.kletnieks at vt.edu
@ 2018-10-31 6:50 ` Greg KH
1 sibling, 0 replies; 5+ messages in thread
From: Greg KH @ 2018-10-31 6:50 UTC (permalink / raw)
To: kernelnewbies
On Tue, Oct 30, 2018 at 09:19:08PM +0300, Lev Olshvang wrote:
> Hi Greg,
>
> Thanks for a reply.
>
> While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,.
> There are 7 commits, and 2 of them is about comments and one about file deletion.
Try them and see! :)
> I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in
> SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed.
>
> So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor
> stacking
>
> Perhaps I am overlooking some basic issue ?
Why are you "allowed" to change a core part of how the kernel works, but
not able to update to a newer kernel version? What keeps people from
being even more worried about that? The fact that a number does not
change?
Realize that what you are attempting to do is create a kernel that no
one else has ever tested or run before, so it is only up to you to get
everything correct. And it is up to you to support that beast on your
own, good luck! :)
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-10-31 6:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-30 11:43 Backporting stacked security patch Lev Olshvang
2018-10-30 14:33 ` Greg KH
2018-10-30 18:19 ` Lev Olshvang
2018-10-30 21:17 ` valdis.kletnieks at vt.edu
2018-10-31 6:50 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.