Jheengut
commented
4 years ago The project has no updates since two years. I do not think you will get any reply soon.
Nice job BTW,...
Open HulaHoop0 opened 4 years ago
Jheengut
commented
4 years ago The project has no updates since two years. I do not think you will get any reply soon.
Nice job BTW,...
HulaHoop0
commented
4 years ago Do you know how I can contact the author?
On 2/21/20 3:20 PM, Jheengut Pritvi wrote:
The project has no updates since two years. I do not think you will get any reply soon.
Nice job BTW,...
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/dapperlinux/dapper-secure-kernel-patchset/issues/1?email_source=notifications&email_token=ANK454JCFH73FVVP53IYWT3RD7WLHA5CNFSM4KZEORZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMTBKEY#issuecomment-589698323, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANK454PYYDN7HJRKZU2HNKTRD7WLHANCNFSM4KZEORZQ.
matthewruffell
commented
4 years ago Hello!
Thanks for having a look around my project. Yes, I haven't been very active on Dapper Linux for a while, but after deciding not to sink any more time into maintaining dapper-secure-kernel-patchset-stable, I kind of don't really have a distro anymore, since I don't have a up-to-date hardened kernel.
I've been thinking about getting back into kernel security again, and I was contemplating looking into upstreaming PAX_USERCOPY or something like it. It's on my large todo list of side projects.
I was talking to Kees Cook at linux.conf.au last year, and I have changed my mind from working on forks / patchsets and I really think upstreaming things is the way to go. So, if I do get back into kernel security, I would probably do it with an upstream focus.
I'm also quite busy working on Ubuntu these days, so I probably can't help you guys out too much.
But saying that, have you reached out to the SubgraphOS developers? They are pretty cool. Last time I talked to David and Bruce they were working on this very cool thing called Subgraph Citadel, which is like a read only base image that you can git update. Sort of like Fedora Silverblue I suppose.
https://github.com/subgraph/citadel https://github.com/subgraph/citadel-tools
Like me, they were also left high and dry after grsecurity patches dried up. Although they did not switch to my dapper-secure-kernel-patchset-stable after minipli stopped doing releases when Spectre and Meltdown turned the world upside down. Maybe they did not trust me, who knows?
As for some patches, there is a portable and ready to use version of PAX_RAP, a gcc plugin that implements forward and backword edge control flow integrity sitting in the VMware Photon repo:
https://github.com/vmware/photon/blob/master/SPECS/linux/0003-Added-rap_plugin.patch
They have some other stuff too, like PAX_RANDKSTACK:
https://github.com/vmware/photon/blob/master/SPECS/linux/0002-Added-PAX_RANDKSTACK.patch
All their stuff is worth checking out:
https://github.com/vmware/photon/tree/master/SPECS/linux
Funny you should mention ClipOS. I remember when it first came out, since they were using the grsecurity 4.9 patchset. They also had a bunch of cool patches, although most of them got archived when they dropped grsecurity from their primary repo. They also never switched to using my dapper-secure-kernel-patchset-stable either, although its easy to see why, since its difficult to trust some random developer with something security critical as a kernel hardening patchset.
Anyway, I haven't read much of the things they carry in their repos these days. Its probably pretty good though.
Other things you can easily put into your kernel are the GRKERNSECCHROOT* features. Those patches are self contained and can be easily extracted from a grsecurity patchset. They are low risk, stable, and provide good additional hardening of chroots, although I suppose no one trusts the security of chroots these days, and we all use namespaces instead.
Other than that, try and enable all the GCC plugins, and set lockdown to confidentiality and integrity mode.
I hope all this helps. If I do start upstreaming some patches, I can always drop some patchsets here for testing.
Sorry I can't really work on your Kicksecure distro, and I wish you all the best!
Matthew
Jheengut
commented
4 years ago Wow, Kudos to you Matthew.
I am better informed of the situation now. thanks
madaidan
commented
4 years ago I've been thinking about getting back into kernel security again, and I was contemplating looking into upstreaming PAX_USERCOPY or something like it.
FYI this was already upstreamed by Kees Cook.
But saying that, have you reached out to the SubgraphOS developers? They are pretty cool.
Subgraph devs hate anything non-grsec and would prefer to spread FUD about them.
Hi Matthew., I am a WhonixOS dev. We are a privacy distro like Tails, based on Debian and Tor and leverage virtualization for isolation of malicious code that can bypass the anonymous proxy. We are currently working on creating a hardened dsitro for baremetal use called Kicksecure which Whonix privacy packages use as a base. One of our main efforts is to create a minimal secure kernel using the code from Anthraxx's hardened-kernel and ClipOS. Would you like to join efforts and collaborate on such an initiative?
PS. Your email listed on the Dapper Linux site is no longer active.
cc/ @adrelanos