Future of GRSecurity in Alpine?

3 posts / 0 new
Last post
#1 Thu, 2017-05-18 06:46
  • dnx's picture
  • Offline
  • Last seen: 9 months 1 week ago
  • Joined: 2017-05-18

With the end of public grsecurity patches (https://grsecurity.net/passing_the_baton_faq.php) what is the future looking like for grsec/pax in Alpine? I had a search but couldn't find anything definite - some mention of a fork maybe? Is Alpine's grsec implementation already a fork?

I'd love to know more about this, any helpful link or info greatly appreciated.


Tue, 2017-10-03 16:37
  • ReproducibleBuildsAreAGoodStandard's picture
  • Offline
  • Last seen: 2 weeks 3 days ago
  • Joined: 2017-05-05

An unofficial grsecurity fork is being used, and the kernel has a label called 'hardened' instead of 'grsecurity'.

See the 'Secure' paragraph in Alpine's about page or this video passage.

Tue, 2018-01-16 02:43
  • templar's picture
  • Offline
  • Last seen: 1 month 1 week ago
  • Joined: 2018-01-13

This was on the mailing list Wed, 10 Jan 2018:

"We are still working out the specifics of how to handle
linux-hardened, but current research indicates that changes to PaX
will be required to do the same style of mitigation. As we are
incapable of doing these changes ourselves at this time, we are
planning to migrate linux-hardened users to linux-vanilla in a future
update. We are presently working out the exact plans to do this, as
well as to introduce missing modules and kernel variants (-virt kernel
profile) that are missing in linux-vanilla.

Once linux-vanilla is at feature parity (in terms of modules and
kernel variants offered) we will do this transition in edge. After
the transition plan is proven stable in edge, we will push it to the
supported releases.

A common question is whether or not we will be keeping the
linux-hardened and linux-grsec packages themselves around in the
release branches. At present we have not made this conclusion. The
reality, however, is that backporting security fixes to the hardened
kernel is now a lot more difficult due to the introduction of KAISER
as a mitigation in the LTS branches, so most likely we will drop it
since we feel it would be irresponsible to carry a package that has
known vulnerabilities while also claiming it has enhanced security


Log in or register to post comments