# Why is hardened-sources still at 2.6.29?

## wilburpan

I've been working on converting my Gentoo based home file server into a hardened box.  The question that I have is that hardened-sources seems to be a main component of a hardened box.  But hardened-sources is still at 2.6.29, while the kernel is up to 2.6.32, and according to the changelog, no updates have been done since late May 2009, which is 8 months ago.

At least some of the changes in the newer versions of the kernel between 2.6.29 and now are security fixes, so it seems to me that it kind of defeats the purpose of having a hardened-sources kernel if it won't include 8 month's worth of security updates from the main kernel tree.

Am I missing something?

----------

## mv

I was also wondering about this for months. Sure, there is some overlay with newer versions (and you can also patch grsecurity manually, as I suggest in some thread here a while ago), but why does this not happen in the gentoo tree? If it is because it is assumed to be potentially unstable: That's why testing keywords and masks are for, aren't they?

IMHO this shows the unhealthy tendency seen for the several projects that the working versions are only available in an overlay while the normal gentoo user is left with rotten packages in the tree which are sometimes even known to be broken...   :Evil or Very Mad: 

I understand the overlay policy for things which require managing/modifying a large number of ebuilds simultaneously (kde or perl are such examples), before they can finally go into the tree, but for things like hardened-sources, I do not see a reason why there should ever be a version in an overlay and not in the tree (at least masked with a corresponding comment if it is not checked yet for security issues).

 *wilburpan wrote:*   

> At least some of the changes in the newer versions of the kernel between 2.6.29 and now are security fixes

 

Can you name such an issue? (I.e. are you sure that it really involves 2.6.29 and not something introduced later? I also suspect such things but was so far too lazy to check.)

If you know some, I strongly suggest that you file a corresponding bug: IMHO it would be better to remove hardened-sources from the tree if it is effectively unmaintained than to let a user run into a version with known security issues.

----------

## wilburpan

Basically, you can scan the changelogs for examples, or look at www.linuxsecurity.com for items talking about updating kernel packages that fix security issues.  But here's a quick example that I found:

From ChangeLog-2.6.32:

```
commit 29e553631b2a0d4eebd23db630572e1027a9967a

Merge: ed9fd93 827d42c

Author: Linus Torvalds <torvalds@linux-foundation.org>

Date:   Mon Nov 30 16:47:16 2009 -0800

    Merge branch 'security' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6

    

    * 'security' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6:

      mac80211: fix spurious delBA handling

      mac80211: fix two remote exploits
```

----------

## cach0rr0

 *wilburpan wrote:*   

> 
> 
> At least some of the changes in the newer versions of the kernel between 2.6.29 and now are security fixes, so it seems to me that it kind of defeats the purpose of having a hardened-sources kernel if it won't include 8 month's worth of security updates from the main kernel tree.
> 
> Am I missing something?

 

That assumes the hardened branch contains the same flaws found in mainline 2.6.29 or 2.6.30 and so forth even after applying the patches. 

2.6.29-hardened is very, very stable, and as of yet there are no known vulnerabilities that I'm aware of. 

Many of the vulnerabilities I assume you're referring to, are ones that weren't introduced *until* 2.6.30, and do not affect 2.6.29 even without the hardened patches. There have been a number of vulns for >2.6.30 that did not affect 2.6.29. Of the ones that I'm aware of where mainline 2.6.29 is affected, hardened-sources is still not affected. 

Go snag this, test your system out, and confirm

http://www.grsecurity.net/~spender/enlightenment.tgz

You're probably speaking of the vulns demonstrated here - http://www.youtube.com/user/spendergrsec

To my knowledge none of these affect the current hardened-sources kernel (if the tests on spender's page are correct, my hardened-sources kernel is not vulnerable)

Now having said that, it looks as though there were a chunk of grsec patches published for 2.6.32, so at some point I would expect the hardened team to include and release an update accordingly - but for the time being I am not overly concerned. 

It should be pointed out as well, you don't need to increment versions to patch a flaw, as well you can readily include a patch from say, a .33 release, even if you're on a .31 release (in some cases of course - I know this is done, don't know the mitigating factors, and put my trust in the kernel maintainers). I know zen, for example, might include the latest BTRFS patchsets even though they're only at 2.6.32-zen7 (last I checked)

ANYWAY...I'm not too worried, .29 is very stable, very secure, and I have no compelling reason to move to a later release even though I think we can expect one before too long.

----------

## mv

 *cach0rr0 wrote:*   

> Now having said that, it looks as though there were a chunk of grsec patches published for 2.6.32, so at some point I would expect the hardened team to include and release an update accordingly

 

Not only for 2.6.32: grsecurity development was continuously going on, and also the hardened-sources in the overlay were continuously upgraded. That's why I cannot understand that this does not happen in the Gentoo tree as it used to be.

 *Quote:*   

> you don't need to increment versions to patch a flaw, as well you can readily include a patch from say, a .33 release, even if you're on a .31 release

 

IMHO a regular gentoo user one should not have to worry about patching flaws by himself. If this should be necessary, the hardened-sources should better be removed from the gentoo tree at all, or at least it should be a clear warning that one has to expect security issues with them as nobody will care about. (But to avoid a misunderstanding: I am not saying that this is the case: I just did not follow all security issues and checked whether they apply to 2.6.29; I am not involved in kernel developing and do not want to be so just to have a secure system...). However, 8 months without any known issues appears an unlikely long period for me.

 *Quote:*   

> I know zen, for example, might include the latest BTRFS patchsets even though they're only at 2.6.32-zen7 (last I checked)

 

But you are aware that zen-sources are maintained by a group of developers which spend a lot of time in it? This is for reasons like these: Patches will in seldom cases apply without conflicts, and especially if you are interested in security (or also stability) it is not sufficient to resolve the conflicts - you really have to verify possible side effects. I would not do it without absolute need.

 *Quote:*   

> even though I think we can expect one before too long.

 

After 8 months of activity exclusively in the overlay (which IMHO could all have happened in the main tree by masking and giving the reasons for masking if there really were some), I would not expect that there are any intentions to change this.

----------

## cach0rr0

 *mv wrote:*   

> 
> 
> IMHO a regular gentoo user one should not have to worry about patching flaws by himself. If this should be necessary, the hardened-sources should better be removed from the gentoo tree at all, or at least it should be a clear warning that one has to expect security issues with them as nobody will care about. (But to avoid a misunderstanding: I am not saying that this is the case: I just did not follow all security issues and checked whether they apply to 2.6.29; I am not involved in kernel developing and do not want to be so just to have a secure system...). However, 8 months without any known issues appears an unlikely long period for me.

 

I'm not suggesting anyone patch the flaws themself. When I say "you" I'm using the impersonal form, and in saying "you can" I am simply saying it is possible, not suggesting he/she go through the trouble of manually applying patches. 

I'm not totally vigilant on keeping up to date with the latest vulns, but I like to think I'm reasonably informed - and I've not seen any issues that would affect the 2.6.29-hardened kernel. 

 *Quote:*   

> 
> 
> But you are aware that zen-sources are maintained by a group of developers which spend a lot of time in it? This is for reasons like these: Patches will in seldom cases apply without conflicts, and especially if you are interested in security (or also stability) it is not sufficient to resolve the conflicts - you really have to verify possible side effects. I would not do it without absolute need.

 

Yes, I am aware. This is why I said that I'm not comfortable doing it myself, and that I'm putting my trust in the maintainers to do so for me (and the zen guys especially are pretty fucking amazing at looking out for us!). 

 *Quote:*   

> 
> 
> After 8 months of activity exclusively in the overlay (which IMHO could all have happened in the main tree by masking and giving the reasons for masking if there really were some), I would not expect that there are any intentions to change this.

 

I would agree that maybe it should be moved to the main tree and masked. It is absolutely worth bringing up on perhaps bugzilla (or tack on to one of the existing revbump bugs), but after my last submission was spit back in my face and reverted despite one dev signing off on it and multiple users agreeing, only to have the reversion pushed out immediately with no further discussion, I have a bitter taste in my mouth and am steering well clear....and well here we are, I'm whining and throwing a tantrum still  :Smile: 

My main aim in the post is to reassure the OP that the current hardened-sources build, to my knowledge, is not affected by any of the nasty vulns that came out for mainline >=2.6.30. Only one that I saw would have affected .29, but even that only affected mainline, not hardened-sources patched.

----------

## meyerm

 *mv wrote:*   

> Not only for 2.6.32: grsecurity development was continuously going on, and also the hardened-sources in the overlay were continuously upgraded.

 

Just a little semi-on-topic hint: grsecurity agreed to maintain 2.6.32 longer than normal due to the common sense on using this kernel as stable base for several years in enterprise distributions. Doesn't help much with your problem, but I thought it's interesting nontheless!

----------

## wilburpan

 *mv wrote:*   

> After 8 months of activity exclusively in the overlay (which IMHO could all have happened in the main tree by masking and giving the reasons for masking if there really were some), I would not expect that there are any intentions to change this.

 

This may be the real underlying issue.  I really don't mess around with overlays except on occasion when a new version of Gnome rolls out.  If I see masked packages coming into the portage tree, that tells me that development and maintenance is still going on.  If all that work is being done in an overlay, it becomes invisible to the average gentoo user.

I didn't even realize that there was a hardened overlay until this week.  The overlay isn't mentioned in the hardened documentation at all.  It seems to me that the overlay should at least be listed in the resources section of the hardened project webpage.   Now, I know that I could add in the hardened overlay to my system to keep up.  But it sort of begs the question why are there overlays AND masked packages?

----------

## zorry

The main prob for hardened is lack of time and manpower for now.

We are working on to change that.

----------

