I ran grsec on servers extensively for several years. This was several years ago so this information may be dated.
It's not fair to discuss grsec as a whole, when asking "why hasn't it been merged?". The /tmp symlink protection was a personal pet peeve of mine for many years. As implemented by grsec, it completely eliminated an entire class of vulnerabilities. It also had zero overhead and was a very small patch. It frustrated me to no end that it took years to land in mainline. When it finally did, nothing broke (afaik). I can't understand at all the years of resistance.
However, large parts of grsec were basically a competitor to SELinux. If you disagree with the assertion that selinux is fundamentally broken, then you have parts of grsec that don't belong in mainline.
The chroot restrictions broke BIND on my installations, which happen to be one of the most commonly chroot() users in standard deployments.
grsec has some great memory protection capabilities. There should at least be a conversation about some of this going mainline.
> large parts of grsec were basically a competitor to SELinux.
Why do you think so? RBAC is an optional part that requires extra configuration to even activate. There's a lot of benefit in running grsec kernel with SELinux as MAC. These features neither depend on RBAC nor even use it.
It's kind of like smack, selinux, apparmor, yama, etc. You can think some of them are broken/worse than others. You're not forced to use them.
I didn't suggest you were forced to use any feature. I just suggested that "this needs to be merged mainline" becomes cloudier for a certain feature that already has a similar implementation in mainline.
I don't think anyone is realistically talking about merging the whole of grsec as it exists today. All the efforts and requests were always depending on splitting grsec into separate features that can be merged independently. RBAC feature could realistically be denied in favour of existing LSMs, while other features without equivalent solution could be included.
It's not fair to discuss grsec as a whole, when asking "why hasn't it been merged?". The /tmp symlink protection was a personal pet peeve of mine for many years. As implemented by grsec, it completely eliminated an entire class of vulnerabilities. It also had zero overhead and was a very small patch. It frustrated me to no end that it took years to land in mainline. When it finally did, nothing broke (afaik). I can't understand at all the years of resistance.
However, large parts of grsec were basically a competitor to SELinux. If you disagree with the assertion that selinux is fundamentally broken, then you have parts of grsec that don't belong in mainline.
The chroot restrictions broke BIND on my installations, which happen to be one of the most commonly chroot() users in standard deployments.
grsec has some great memory protection capabilities. There should at least be a conversation about some of this going mainline.