Received: from nwk.e4ward.com (nwk.e4ward.com [173.255.225.96]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 3BEED782CD1 for ; Tue, 31 Mar 2020 14:41:28 +0000 (UTC) Received: from localhost (nwk.e4ward.com [127.0.0.1]) by nwk.e4ward.com (Postfix) with ESMTP id 91F6687A22 for ; Tue, 31 Mar 2020 10:41:27 -0400 (EDT) Authentication-Results: nwk.e4ward.com (amavisd-new); dkim=pass (1024-bit key) reason="pass (just generated, assumed good)" header.d=e4ward.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e4ward.com; h= reply-to:content-type:content-type:subject:subject:message-id :date:date:from:from:in-reply-to:references:mime-version; s= mail; t=1585665687; x=1585752088; bh=azsF5qbQPPSPlmnvQiqgtNoTMxd jkm1jvyoD4uwa9+g=; b=kmbIPqeiHamHtWtyXHRU0WhK1Z0grUanFkmkkj9GWZK lZ1uFuEhIThaBeYTODYB9NukGx5NR3AEdYN9YX3EpY8Cf/zlMl9lHHY2uAbJiQON wDvjKN5DE84qHl5IuvdbVl6N8b1k4QoZfa5y5G1L6IZsGR/48jOgeXZkLJo6Ah5s = Authentication-Results: nwk.e4ward.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (message has been altered)" header.d=gmail.com Received: from nwk.e4ward.com ([127.0.0.1]) by localhost (nwk.e4ward.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UG0AoazlY7CH for ; Tue, 31 Mar 2020 10:41:27 -0400 (EDT) Received: from nwk.e4ward.com (nwk.e4ward.com [127.0.0.1]) by nwk.e4ward.com (Postfix) with ESMTP id B70EE8789F for ; Tue, 31 Mar 2020 10:41:26 -0400 (EDT) Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by nwk.e4ward.com (Postfix) with ESMTPS for ; Tue, 31 Mar 2020 10:41:26 -0400 (EDT) Received: by mail-wr1-f67.google.com with SMTP id u10so26306859wro.7 for ; Tue, 31 Mar 2020 07:41:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=azsF5qbQPPSPlmnvQiqgtNoTMxdjkm1jvyoD4uwa9+g=; b=NRF61/Eua69+alcqXcNUtIzyT9nws7Bqz+14bJM1f6P6bVoX0/NRpOUusI/OZ5QsmU Xevh803+mgAnU+U8JtImxvtTfaPMxa6I8QCGjjtnTYs8oyiSSt60JMvsgZfpxi7pgZts MhXeq+jPiEytKZPe6PTKzrt77HlJaZ41evx4rEur8orOSiccg8Kwx7UDUYsoD5pw6wj9 J3cK1P5WSb1H08U8YqrP76SeIafJLu1G+e3+waWub/JXOtCjixSH5Tm20hq6yPTVZdWj vOVfR4npKkF8ZSt4K8ABK/33l4lOGdJdllq7K45Un9dGaXVPOru9zXGY8RbM4+5Qr/4S 3d+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=azsF5qbQPPSPlmnvQiqgtNoTMxdjkm1jvyoD4uwa9+g=; b=Z5QhEpu3qK9XLDA9V8O3vcBUax7gmxY5CN/9ifHxB5BMBMbnB2hV3Vq89ZNPrvxZes iIV02XQ2J5oF7L3BBBC2XvWSzwLmeYObKnQSXkJRp1rhhVnSCTfzLGJvdQPYhcEI8tbm sApTufbN0N6DKwPnZZBnEkFQUMse9a9JirGSbuFRiDi7SwOUL5ixbzabSnhWNuTsNarP iwcOKdBN5SQk9Slfi2g+MwhR2fxi+Pem9+PTyVL2sH1XT9/3o2WF9S5pVf4fsWhzdSaz dyTGEpxdaQt8uGSi3vGyhSh7AbsmvKz1BysA+1fjDiBESmLR6tWELNzkbcW0rTmWTV/C M3fw== X-Gm-Message-State: ANhLgQ25W8cFSySczozddMtHJvti6Hm6FiPhc+EHaB8lg0km72/m0hF4 vV3NimPXO80CSHp2dQF+f0jReGLW8Ewka/ApCNif9g== X-Google-Smtp-Source: APiQypLNMGnryywEVCF6/hpBxyv4QgSS5XlgDqvk+p93qwihhvY8FKp4Zk6kMoexRkMgtsoyHpkShac5a8wYJHJBa2Q= X-Received: by 2002:a2e:8746:: with SMTP id q6mr7754103ljj.13.1585662458802; Tue, 31 Mar 2020 06:47:38 -0700 (PDT) MIME-Version: 1.0 References: <20200331120229.514f90b3@ncopa-desktop.copa.dup.pw> <20200331123006.18d9621d@ncopa-desktop.copa.dup.pw> In-Reply-To: <20200331123006.18d9621d@ncopa-desktop.copa.dup.pw> From: Marco Sulla Date: Tue, 31 Mar 2020 15:47:01 +0200 Message-ID: Subject: Re: How does Alpine Linux harden its kernel? To: Natanael Copa , alpine-user.lists.alpinelinux.org-alpine_users_list.marco.sulla.e4ward.com@jr6e1x1pth7.reply.e4ward.com Content-Type: text/plain; charset="UTF-8" Reply-To: alpine_users_list@marco.sulla.e4ward.com Sender: forwardedby@e4ward.com X-e4ward-RCPT: alpine-user.lists.alpinelinux.org-alpine_users_list.marco.sulla.e4ward.com@jr6e1x1pth7.reply.e4ward.com X-e4ward-x: . Thank you for the information. I have no intention to apply a patch to the linux kernel which code is not publicly available. On Tue, 31 Mar 2020 at 12:30, Natanael Copa wrote: > > On Tue, 31 Mar 2020 12:10:47 +0200 > Marco Sulla wrote: > > > But did you not apply custom patches made by yourselves? I see that in > > the source code that pax utilities are used. And it seems Apline use > > linux-hardened. > > We used the testing patches from grsecurity and maintained our own fork > of it for a while. But it was not possible to continue at some point > (which was expected). Now we have dropped the linux-hardened kernel in > favor of the vanilla linux-lts. > > I recommend that you ask (and pay for) grsecurity for a proper hardened > kernel. > > -nc > > > > > On Tue, 31 Mar 2020 at 12:02, Natanael Copa wrote: > > > > > > On Tue, 31 Mar 2020 11:43:01 +0200 > > > Marco Sulla wrote: > > > > > > > Hello all. I discovered Alpine Linux, and it seems the unique active > > > > Linux distro that applies hardening patches to the Linux kernel. > > > > > > > > The problem is I do not understand where Alpine applies its patches to > > > > the kernel. Where is the code? > > > > > > > > PS: I know that Alpine Linux does not use anymore grsecurity. Does it > > > > continue to apply PaX patches? > > > > > > Hi! > > > > > > We no longer harden the kernel, due to grsecurity nor pax not being > > > available for public. > > > > > > It sounds like we need to update the documentation somewhere. > > > > > > -nc >