How to panic a current grsecurity kernel as any user

Muh security
Muh hardened

archive.is/slO76
archive.is/HkuTd

grsecurity also closed his twitter, not before blocking every single person who favorite or RT the exploit. What do you think Holla Forums?

Other urls found in this thread:

forums.grsecurity.net/viewtopic.php?f=7&t=4463
selinuxproject.org/page/XpermRules#ioctl_Operation_Rules

These people are worse than audiophile retards because they go out and cause actual damage.

Was filed as a bug and fixed properly by someone else.

But yes, grsecurity guys are autistic fucks. I still use and like their patchset though.

spender is an autistic chucklefuck, news at 11

This is why we can't have nice things

new blog post yesterday if you missed it
forums.grsecurity.net/viewtopic.php?f=7&t=4463

is this autism enough to stop you using grsec?

you can tell they're professional security hackers because they're so insecure

What lolcows

Also, didn't they cause some weird-ass drama over the GPL or some shit like last year as well?

grsec is a mess and causes more problems than it prevents. But it's like anti-virus and people will defend it forever out of fear.

You retarded?

Yeah, companies were applying their patchset to old kernels without paying a protection racket fee (oh the horror!) so their response was to... shut down the paid option entirely.


>obviously not the colossal embarassment everyone is actually talking about today and they're damage-controlling harder than north korea
Please tell me you're not that gullible and you're just pretending to be a moron by defending these fucking losers. Would you run kernel code written by someone more autistic than STI?

They were using their trademark without paying them, that was the issue.

Hey its the guy who made homebrew on the latest 3DS possible, kek he liked a tweet and Grsecurity blocked him with like 50 other people, this is really sad levels of damage control, what goes around comes around you fucking trademark whores

he was rude to someone who pointed out a bug.

that doesn't reflect well at all. you should thank him.

Beyond rude, they had a fucking meltdown
That's not a good sign when it's supposed to be a security group

Who can handle shitstorm on twitter from legions of SJWs?


That was probably Intel. Then they made the stable kernel only available for their sponsors.

No they shit themselves over companies using "grsec approved" style language. Literally profiting off their work/reputation. I can see why they got pissed even if they handled it badly. It's gpl though so fuck em.

The twitter thing was proper aspie rage at public embarrassment. He blocked people just for acknowledging the tweet and IP banned a security researcher. That's crazy behaviour.

Grsec is definitely imperfect (have had issues myself) and those guys are uber sensitive and it is tangibly worrying.

If it were any other context I would readily ditch software or a community over behavior like this from its leaders, for an alternative.

The problem is there is no alternative in linux. And vanilla linux is in fact insecure by design. There's no question of that. Forget selinux.

I will say however that killing the public stable branch was a heavy loss, as the testing branch sucks on account of the latest linux kernel constantly sucking, and I switched one system to OpenBSD as a compromise.

It's not really a group
It's just one autistic faggot

What's wrong with selinux? All the major players like Android and Fedora use it

SELinux is a MAC and not designed to provide kernel security (even if one or two features claim to do so).

It is overly convoluted with a flawed reference policy and is literally the least suited MAC for 95% of systems, or anything that isn't a top-secret formal environment, where SELinux should be used simply because there is no real linux alternative that meets those requirements.

The only major linux distro to promote it is red hat/centos/fedora because red hat gets paid the big $$$ through support contracts for overcomplicated software which red hat gets the remainder of their $$ to provide training for.

Label-based MACs are generally not a bad idea at all, but SELinux is an ad-hoc convoluted trainwreck that looks like a C programmer shit out during yearly acid trips.

Red hat should be shunned from the community for imposing it on a desktop system (fedora). The only saving grace is that unlike systemd (which I don't really care that much about) or GNOME 3 (which I hate but there are always ways around), generally Linux hasn't taken seriously to selinux. Gentoo has an official profile for it, but it's entirely optional and Grsec comes first.

Is PaX a fair alternative?

Pax is a subset of Grsec.

Thanks for the info. Some suggestions in pic from a Linux.org thread.

Try Qubes.

There's "defense in depth" and then there's "let's run 25 copies of Fedora and hope Xen is perfectly secure"

guest VM can be anything
You really think anyone's burning a Xen 0day on you?
Have you tried it? It's surprisingly usable.

And there's no OpenGL muh gzdoom. Lack documentation too (especially about different guests).

That's like saying: "Do you really think anyone cares what you do on your computer?" May as well just use Windows 10 right? Since my life isn't THAT interesting?

More like a copy of Fedora for networking purposes, then Debian for all the applications you're used to. It's very nice if you want a secure environment and decent UI/UX.

I moved to Qubes from Debian and honestly it's the exact same experience. Nice to have two separate templates, one to shit up with whatever installs I want and one to keep pure vanilla for sensitive work.

That would be nice, no matter what I do I end up with cruft from previous packages accumulating.

yup, and since all that junk is installed into a single environment the likelihood of being compromised is accelerated.

i don't have to care if my slutty debian install gets fucked up because i log into my bank account from within an entirely different sandbox.

such is the magic of hypervisors. it really is a better system.

With that attitude how do you run anything other than mathematically secure research builds?
Do you not understand threat modelling?

That's not my argument at all. I didn't say no one cares, I said that economically you're not worth the cost. The cost of spying on you with Windows 10 is basically nil because telemetry. The cost of spying on you with regular Linux is the cost of the single exploit (in one of the many different things you probably have installed). The cost of spying on you with Qubes is exploit + Xen escape. If someone has a Xen escape why would they use it on you.

This is a valid complaint. Graphics card bugs are quite commonly used to escape virtualisation. You can always play dwarf fortress. See the ASCII punk thread for some other games you can play.

yea he's pretty cool. he helped me out a few times on #3dsdev

SELinux and Grsec have different, but complementary scopes. you should be running both.


That's false. SELinux can suite a plethora of security configurations. It is highly flexible and powerful using its policy system, of course having flexibility and power will lead to complexity though.

Is it for most people? No. Should people who care about security and have the skill to implement policies use it? Absolutely.

With SELinux you can isolate programs security contexts and mitigate potential exploits. For example if your firewall daemon gets compromised via an unknown exploit, it won't have the permissions necessary to pivot to higher levels of privilege or compromise other parts of the system.

Could you provide an example of how that is the case? I've always thought that MACs are just for restricting file access and any cpabilities that are related to file access (i.e. the abiity to run arbitrary programs). At least, that's what I've been using App Armor to do.

What can SELinux do to prevent process exploitation, and what can it do that App Armor can't?

Weren't there like a dozen Xen 0days last year? Not saying they're ridiculously common, or as common as Linux kernel vulnerabilities, but it seems to me that an adversary with the capabilities to think about kernel exploitation and developing spyware shouldn't find it that difficult to find a Xen 0day.

[Citation Needed]


Grsecurity/PaX is the exact opposite of antivirus. And given that it successfully prevents the exploitation of entire classes of exploits and an entire method of code execution, as well as makes other kinds of exploits much more difficult, I'd say it's a hell of a lot more effective than antivirus.

You are correct, but on unix based systems most things are a file. So you can restrict access to all devices (which are files) that you don't need, and all configuration files that you don't need for the specific security context of each process.

For example you can whitelist ioctls, since they require file descriptors:
>selinuxproject.org/page/XpermRules#ioctl_Operation_Rules

And obviously SELinux protects against ptrace and process_vm_writev as well as /proc which means accessing other processes is going to be either impossible or very very difficult to exploit.

There are some things it can't protect against, like keylogging on X since if you have access to the X server then you always can read which keys have been pressed. But, that's a good reason to switch to wayland since it doesn't have that issue.

That's literally the worst startup advice you can give anyone. Grsec with RBAC will take care of practically all configurations on all common servers while SELinux takes 3x the effort for 3x less the coverage. SELinux is the biggest wastes of security effort in the linux world. Complete nonsense.

Just to let you know, you didn't make an argument

It's just ONE guy behind grsecurity?