Discussion:
Backporting stacked security patch
Lev Olshvang
2018-10-30 11:43:12 UTC
Permalink
Hi All,

I week ago I asked the list about kernel 4.2 stacked security patch location , but
Greg strongly advised me against, without going into details.
I highly appreciate Greg advice, and I know he is a very busy person.
Unfortunately I do not have a choice to upgrade kernel, and I am asking again :
- what are major challenges of a such backport ?
Does kernel security changed so much between 3.18 and 4.2 ?

The link is https://kernelnewbies.org/Linux_4.2#Stacking_of_security_modules

Regards, Lev
Greg KH
2018-10-30 14:33:12 UTC
Permalink
Post by Lev Olshvang
Hi All,
I week ago I asked the list about kernel 4.2 stacked security patch location , but
Greg strongly advised me against, without going into details.
I highly appreciate Greg advice, and I know he is a very busy person.
- what are major challenges of a such backport ?
Does kernel security changed so much between 3.18 and 4.2 ?
$ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l
48573

That's over 48 thousand changes between those kernels. That's a
non-trivial thing to review and backport only parts of it.

And if you were to backport only parts of it, then you would be dealing
with a kernel that only you can support, not the company/vendor that is
forcing you to stick with 3.18. Why not ask them to do this work for
you as they are the ones you are paying for this type of work already?

Also, why 3.18? That's a very old and obsolete kernel already, never
use that for any new type of device, you are guaranteed to have problems
with it as I'll probably stop doing security updates for it any week
now...

good luck!

greg k-h
Lev Olshvang
2018-10-30 18:19:08 UTC
Permalink
Hi Greg,

Thanks for a reply.

While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,.
There are 7 commits, and 2 of them is about comments and one about file deletion.

I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in
SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed.

So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor
stacking

Perhaps I am overlooking some basic issue ?


As I stated, I have no option to come to customer and ask to upgrade his kernel, but I will try to put his attention to mentioned by you cease of security updates.

Best Regards
Lev
 Hi All,
 I week ago I asked the list about kernel 4.2 stacked security patch location , but
 Greg strongly advised me against, without going into details.
 I highly appreciate Greg advice, and I know he is a very busy person.
 - what are major challenges of a such backport ?
 Does kernel security changed so much between 3.18 and 4.2 ?
$ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l
48573
That's over 48 thousand changes between those kernels. That's a
non-trivial thing to review and backport only parts of it.
And if you were to backport only parts of it, then you would be dealing
with a kernel that only you can support, not the company/vendor that is
forcing you to stick with 3.18. Why not ask them to do this work for
you as they are the ones you are paying for this type of work already?
Also, why 3.18? That's a very old and obsolete kernel already, never
use that for any new type of device, you are guaranteed to have problems
with it as I'll probably stop doing security updates for it any week
now...
good luck!
greg k-h
v***@vt.edu
2018-10-30 21:17:45 UTC
Permalink
Post by Lev Olshvang
As I stated, I have no option to come to customer and ask to upgrade his
kernel, but I will try to put his attention to mentioned by you cease of
security updates.
If you can't get him to upgrade the installed kernel, it's not worth your effort
to backport patches. And just updating the patches to the 4.2 level doesn't
do your customer any favors, as there's been a lot of security patches
between 4.2 and 4.19.

And many of the important ones do *NOT* apply to the security/ branch of
the tree - it's stuff like the Spectre fixes that show up elsewhere in the tree,
networking fixes that resolve "packet of death" issues, and so on.
Greg KH
2018-10-31 06:50:39 UTC
Permalink
Post by Lev Olshvang
Hi Greg,
Thanks for a reply.
While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,.
There are 7 commits, and 2 of them is about comments and one about file deletion.
Try them and see! :)
Post by Lev Olshvang
I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in
SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed.
So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor
stacking
Perhaps I am overlooking some basic issue ?
Why are you "allowed" to change a core part of how the kernel works, but
not able to update to a newer kernel version? What keeps people from
being even more worried about that? The fact that a number does not
change?

Realize that what you are attempting to do is create a kernel that no
one else has ever tested or run before, so it is only up to you to get
everything correct. And it is up to you to support that beast on your
own, good luck! :)

greg k-h

Continue reading on narkive:
Loading...