Re: [GIT 4.9] LSM,security,selinux,smack: Backport of LSM changes

[Greg KH <gregkh@linuxfoundation.org>]

On Sun, Jul 10, 2022 at 03:02:52PM +0200, Alexander Grund wrote:
> On 10.07.22 14:48, Greg KH wrote:
> >>> What 4.4.y Android devices are still supported by their vendors?  And
> >>> are they still getting kernel updates?
> >>
> >> Actually the issue is that those devices are not supported by their vendors anymore, so they may only get updates through LineageOS.
> >> That is a third-party Android build where maintainers rely on proprietary binaries from the original phone which are tied to a specific kernel.
> >> Hence when the device falls out of support having a 4.4 kernel in the last release there is no way for those maintainers to switch to a newer kernel.
> >> That's the situation e.g. I am in right now: Providing (mostly) security updates for a good phone that fell out of vendor support
> >> by using LineageOS for an updated Android system and e.g. the CIP maintained SLTS 4.4 kernel.
> >> And I know of at least 2 other devices using the same kernel as they share the platform.
> > 
> > All of those devices that wish to keep working should just forward port
> > their tree to newer kernel versions so that they can stay secure and
> > working properly.  It is far easier to do that than to attempt to keep
> > older kernel trees alive over time.  I've done both in the past and it's
> > always simpler to move forward.
> > 
> > So why not just do that instead of attempting to keep these old kernels
> > alive?  Do the effort once and then you can rely on the community's
> > help.  Otherwise you are stuck on your own for forever.
> 
> Because forward porting is not possible.
> As mentioned the original device vendor does no longer support those devices
> so what the community has is a blob of binaries compiled against a specific
> kernel version with no access to their sources.

That's a lovely GPL violation that I am sure those vendors would be glad
to fix up and provide the source for.  Especially if those vendors are
wanting to use newer kernel versions in newer devices :)

> As those binaries (mostly hardware "drivers") are required to use the device,
> recompilation isn't possible and they are likely coupled to the kernel version
> specific API/ABI "we" (me and maintainers of similar devices) have to stick to that kernel.

If you do not know what sources those blobs are built from, then trying
to keep a stable abi is very very difficult, as I know from experience.

Good luck!

greg k-h