Received: from mx2.e4ward.com (mx2.e4ward.com [142.93.190.147])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 7C452782C6A
	for <alpine-user@lists.alpinelinux.org>; Tue, 31 Mar 2020 10:30:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by mx2.e4ward.com (Postfix) with ESMTP id 81BBE412EA
	for <alpine-user@lists.alpinelinux.org>; Tue, 31 Mar 2020 06:30:53 -0400 (EDT)
Received: from mx2.e4ward.com ([127.0.0.1])
	by localhost (mx2.e4ward.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 6a3FAnQmSj3t for <alpine-user@lists.alpinelinux.org>;
	Tue, 31 Mar 2020 06:30:51 -0400 (EDT)
Received: from mx2.e4ward.com (localhost [127.0.0.1])
	by mx2.e4ward.com (Postfix) with ESMTP id 6FE7C4088A
	for <alpine-user@lists.alpinelinux.org>; Tue, 31 Mar 2020 06:30:20 -0400 (EDT)
Received: from mx1.tetrasec.net (mx1.tetrasec.net [66.245.176.36])
	by mx2.e4ward.com (Postfix) with ESMTPS
	for <alpine-user.lists.alpinelinux.org-alpine_users_list.marco.sulla.e4ward.com@jr6e1x1pth7.reply.e4ward.com>; Tue, 31 Mar 2020 06:30:20 -0400 (EDT)
Received: from mx1.tetrasec.net (mail.local [127.0.0.1])
	by mx1.tetrasec.net (Postfix) with ESMTP id E1E35661E6;
	Tue, 31 Mar 2020 10:30:13 +0000 (UTC)
Received: from ncopa-desktop.copa.dup.pw (67.63.200.37.customer.cdi.no [37.200.63.67])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: alpine@tanael.org)
	by mx1.tetrasec.net (Postfix) with ESMTPSA id 4AA13661E5;
	Tue, 31 Mar 2020 10:30:13 +0000 (UTC)
Date: Tue, 31 Mar 2020 12:30:06 +0200
From: Natanael Copa <alpine_users_list@marco.sulla.e4ward.com>
To: Marco Sulla <alpine-user@lists.alpinelinux.org>
Cc: alpine-user.lists.alpinelinux.org-alpine_users_list.marco.sulla.e4ward.com@jr6e1x1pth7.reply.e4ward.com
Subject: Re: How does Alpine Linux harden its kernel?
Message-ID: <20200331123006.18d9621d@ncopa-desktop.copa.dup.pw>
In-Reply-To: <CABbU2U98GbHZZWxnOoJ=m1FDLm0FXUE9Pcobg2aGFFK3kDbKqw@mail.gmail.com>
References: <CABbU2U-w34QfSGg4wZKxvCoYgtqLRj9Z0SKHipDPNaSdHdBeAQ@mail.gmail.com>
	<20200331120229.514f90b3@ncopa-desktop.copa.dup.pw>
	<CABbU2U98GbHZZWxnOoJ=m1FDLm0FXUE9Pcobg2aGFFK3kDbKqw@mail.gmail.com>
X-Mailer: Claws Mail 3.17.5 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Reply-To: alpine_users_list@marco.sulla.e4ward.com
Sender: forwardedby@e4ward.com
X-e4ward-RCPT: alpine-user.lists.alpinelinux.org-alpine_users_list.marco.sulla.e4ward.com@jr6e1x1pth7.reply.e4ward.com
X-e4ward-x: .

On Tue, 31 Mar 2020 12:10:47 +0200
Marco Sulla <alpine_users_list@marco.sulla.e4ward.com> wrote:

> But did you not apply custom patches made by yourselves? I see that in
> the source code that pax utilities are used. And it seems Apline use
> linux-hardened.

We used the testing patches from grsecurity and maintained our own fork
of it for a while. But it was not possible to continue at some point
(which was expected). Now we have dropped the linux-hardened kernel in
favor of the vanilla linux-lts.

I recommend that you ask (and pay for) grsecurity for a proper hardened
kernel.

-nc

> 
> On Tue, 31 Mar 2020 at 12:02, Natanael Copa <ncopa@alpinelinux.org> wrote:
> >
> > On Tue, 31 Mar 2020 11:43:01 +0200
> > Marco Sulla <alpine_users_list@marco.sulla.e4ward.com> wrote:
> >  
> > > Hello all. I discovered Alpine Linux, and it seems the unique active
> > > Linux distro that applies hardening patches to the Linux kernel.
> > >
> > > The problem is I do not understand where Alpine applies its patches to
> > > the kernel. Where is the code?
> > >
> > > PS: I know that Alpine Linux does not use anymore grsecurity. Does it
> > > continue to apply PaX patches?  
> >
> > Hi!
> >
> > We no longer harden the kernel, due to grsecurity nor pax not being
> > available for public.
> >
> > It sounds like we need to update the documentation somewhere.
> >
> > -nc