Grsecurity

Has anybody fork this yet? If not what is the next best RBAC?

bump

I think we're all fucked regarding this. I haven't checked since, but the consensus within the Arch/Gentoo maintainer circles was dropping support for Grsec. Though I think PaX will still have support.

The Kernel Self Protection project has already taken the torch and they are serious about it. Meanwhile in arch linux, the developers are talking on applying some patches separately, covering at least part of grsecurity.

Is not a grim future, is just a grim present.

Why would you need to fork it?
It's GPL, just grab the code from a subscriber.

For every patch you grab from a subscriber, that same subscriber loses subscription.

The better is to fork.

Remind me what makes RBAC so much better than MAC? Why isn't AppArmor a replacement for this?

on one hand you give permissions based on specific roles, that would be RBAC, on the other you have filesystem access through lists, which is apparmor, they pretty much complement afaik

>Kernel Self Protection

They're a joke

Why don't you give a hand and change that user?

They've actually tweeted about this policy, so it isn't theoretical; there's now plenty of documented court-admissable evidence that they wish to, via estoppel, in effect sublicense their derivative work with an NDA such that anyone who redistributes it will be cut off from any future updates.

Considering patches are in copyright a derivative work of what they patch, PaX Team's policy of doing this is, of course, an egregious violation of GPLv2 §2(b), §4 and §6 and any of the Linux kernel copyright holders could sue them for statutory damages multiplied by the number of distributions. The GPL even explicitly says:
>You may not impose any further restrictions on the recipients' exercise of the rights granted herein.

It's hard to misunderstand that, but apparently when you type in lower case and are an enormous asshole, effectively refusing for many years to work with the upstream kernel community and break their fucking monster patch down into parts like a sane person would, you lose the ability to take effective legal advice.

Friendly reminder: Oracle are a Linux kernel copyright holder. So are IBM, and Google.

Grsecurity as it stands probably won't last through 2017. Either it'll be sued into non-existence or the devs will quit. It's the Linux kernel, not a fucking Minecraft mod.

>implying that retard can do anything but repeat "expert opinions" he read on reddit

I am just waiting for the hammer to fall over these guys heads. Makes me wonder if the compatibility issue isn't intentional, reading the article where Linus talks about grsecurity one might think these guys made bad business practices.

In the meantime, is the alternative RSBAC + PaX + AppArmor?

The guys at RSBAC maintain an updated PaX version for latest long term kernel. Not everything is lost.

Has Stallman released a statement on this yet?

Oracle and Google are currently consulting with legal advice about it; Google because they're plain ol' pissed off, and Oracle because they're concerned about their own redistribution rights with Unbreakable Linux. I think it's only been so long until now because

I'm not sure what I think about a world where Oracle and Google might actually be on the *same* side of a copyright battle - but I don't think it's going to be a very long one, because what the PaX team are trying to pull - something along the lines of "we're not restricting you from redistributing it, BUT if you do we're never giving you another version again" - doesn't even pass the laugh test.

That they've been stupid enough to put their policy into a actual documented court-admissable fucking tweet you could blow up and use as a cover sheet for your brief only means you should get popcorn.

Has everyone forgotten one of the few good things the NSA has ever done (admittedly, for themselves) - selinux?

>SELinux
>Good
It's a systemd-tier clusterfuck.

Isn't SELinux is covered in many ways and better by tools like RSBAC and AppArmor? Is pretty difficult to set the rules and if RSBAC is more extended this defeat its purpose.

>Oracle and Google might actually be on the *same* side of a copyright battle
has science gone too far

I don't know, but I wasn't under the impression RMS was one of the copyright holders of the Linux kernel?

GPLv2 doesn't really need any further clarification of intent here. To reproduce §6:
>6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

Breaking that down:
>PaX Team's patch is based on the Linux kernel.
>The people they send it to, the subscribers, their recipients, automatically receive licences from the Linux kernel developers to redistribute according to the GPL.
>PaX team may not fuck with that right.

Let's be clear here: what PaX team are trying to do is not some weird legal trick. It's Cousin Vinny going "We're not saying you can't step over this line, we're just saying we'll break your kneecaps if you do". That's the same fucking thing and I honestly can't imagine any judge entertaining it for even a moment, except to let them talk if for some reason the judge is new enough to the job to still find idiocy entertaining. They have, in fact, said in writing that subscribers will have their subscription terminated for redistribution, which is a restriction of their exercise of the rights granted to them under the GPL.

It's not their fucking software. It's Linux. It's quite a lot of people's work they're disrespecting by pulling this shit, and it doesn't have to be IBM suing them to point that out - it could be literally any one of the developers.

By the way, you shouldn't take legal advice from Sup Forums, duh, if you're thinking of doing anything but eating popcorn and watching (which you almost certainly aren't), you should see a lawyer qualified and licenced in your jurisdiction.

>I wasn't under the impression RMS was one of the copyright holders of the Linux kernel?
He's not, but the GNU GPL is a big deal for him and vice versa.

Ah, see, I haven't tried to actually use it at all ever. The complexity of it scared me off. Me and almost everyone else, and I've configured sendmail and ircii and somehow survived (thanks to the bat book and sheer bloody-minded persistence).

That makes sense considering it's from NSA Information Assurance (i.e. the department that are the defenders of classified US Government systems, rather than the signals intelligence agency, which I really think should be split into a separate agency given the irreconcilable conflict of interest with the SIGINT mission of the other side) and is the Enterprise-Tier™ shit they wanted for information compartmentation (that didn't help them at all when Snowden raided their Sharepoint because that shit is on Windows).

I don't think it's fair to compare that to systemd, which is actually pretty easy to configure, has some real benefits, and whose only real big problem is Lennart Poettering... well, being Lennart Poettering.

Not tried RSBAC either, but have tried AppArmor. I used to use PaX back when Gentoo had a stage1, when -fstack-protector was a compiler patch, and the original GCC still existed rather than EGCS which supplanted it. Some of that stuff could have been upstreamed, but PaX team have always, always been enormous dicks.

Yes, but let's keep going and see what happens anyway.

Well, yes, but I'm not sure whether any comment from him would be useful - I expect he might just use it as another platform to raise the issue of Linux still being stuck on GPLv2 and not wanting GPLv3. I never saw him say much about Busybox. It's not his project and it's an open-and-shut violation of the licence.

>didn't help them at all when Snowden raided their Sharepoint because that shit is on Windows

Maybe KSPP will make possible to upstream PaX features, is about time.

OpenBSD.