Backporting stacked security patch
Lev Olshvang
levonshe at yandex.com
Tue Oct 30 14:19:08 EDT 2018
Hi Greg,
Thanks for a reply.
While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,.
There are 7 commits, and 2 of them is about comments and one about file deletion.
I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in
SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed.
So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor
stacking
Perhaps I am overlooking some basic issue ?
As I stated, I have no option to come to customer and ask to upgrade his kernel, but I will try to put his attention to mentioned by you cease of security updates.
Best Regards
Lev
30.10.2018, 17:32, "Greg KH" <greg at kroah.com>:
> On Tue, Oct 30, 2018 at 02:43:12PM +0300, Lev Olshvang wrote:
>> Hi All,
>>
>> I week ago I asked the list about kernel 4.2 stacked security patch location , but
>> Greg strongly advised me against, without going into details.
>> I highly appreciate Greg advice, and I know he is a very busy person.
>> Unfortunately I do not have a choice to upgrade kernel, and I am asking again :
>> - what are major challenges of a such backport ?
>> Does kernel security changed so much between 3.18 and 4.2 ?
>
> $ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l
> 48573
>
> That's over 48 thousand changes between those kernels. That's a
> non-trivial thing to review and backport only parts of it.
>
> And if you were to backport only parts of it, then you would be dealing
> with a kernel that only you can support, not the company/vendor that is
> forcing you to stick with 3.18. Why not ask them to do this work for
> you as they are the ones you are paying for this type of work already?
>
> Also, why 3.18? That's a very old and obsolete kernel already, never
> use that for any new type of device, you are guaranteed to have problems
> with it as I'll probably stop doing security updates for it any week
> now...
>
> good luck!
>
> greg k-h
More information about the Kernelnewbies
mailing list