Gentoo Archives: gentoo-dev

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Regarding the State of PaX in the tree
Date: Mon, 16 Apr 2018 12:32:11
In Reply to: Re: [gentoo-dev] Regarding the State of PaX in the tree by "Hanno Böck"
On 4/16/18 5:14 AM, Hanno Böck wrote:
> Hi, > > I honestly don't see how it would be feasible to maintain a feature > that the developers maintaining it have access to.
I think you're missing a negation in there. Point well taken though.
> > I get that this whole pax-thing embodies a huge part of Gentoo history > and it may feel hard for some to let it go. But things are how they are.
I agree, and we'll have it in our history if hardened-sources ever comes back. The only machinery we should keep is install-xattrs which grew out of the integration of xattr PaX markings but is useful beyond just PaX.
> > Regarding the fork states: I followed up on minipli's fork, which > tried to maintain newer patches of grsec for LTS kernels, but that > essentially stopped after KPTI/meltdown/retpoline. From what I know > there's no public grsec patch with kpti or any spectre fixes, thus I > would very much say you're safer these days with an upstream kernel. >
Correct. I would not use the old hardened-sources or minipli's fork on any production server.
> I think the only realistic way this support can be upheld would be if > some people who have access to the grsec sources commit to making sure > that it is maintained.
Upstream has never responded to any email I sent them. I had a brief discussion with spender when the decision came down, and he gave me what I interpreted as an "I'm sorry this is going to adversely affect you but it has to be this way."
> > > There's also another question related to this: What's the future for > Gentoo hardened? > From what I can tell hardened consists of: > * the things that try to make it compatible with grsec/pax > (more or less obsolete). > * things that are now in default profiles anyway (aslr, stack > protector). > * things that probably should be in default profiles (relro, now linker > flags) > * -fstack-check, which should eventually be replaced with > -fstack-clash-protection (only available in future gcc's) and that > should probably also go into default profiles. > * Furthermore hardened disables some useful features due to their > incompatibility with pax (e.g. sanitizers). > > So it's stuff that either is obsolete or probably should be a candidate > for main profiles. Maybe we should strive for "hardened-by-default". >
You're forgetting selinux. Most of Zorry's work has made it into gcc and is now being enabled by our default toolchain. Some kernel features have also been improved upstream. With upstream carrying a lot of the work we did, I think 'hardened-by-default' minus selinux should be the goal of Gentoo. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@g.o GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA


Subject Author
Re: [gentoo-dev] Regarding the State of PaX in the tree Francesco Riosa <vivo75@×××××.com>