| 1 |
On 4/16/18 5:14 AM, Hanno Böck wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> I honestly don't see how it would be feasible to maintain a feature |
| 5 |
> that the developers maintaining it have access to. |
| 6 |
|
| 7 |
I think you're missing a negation in there. Point well taken though. |
| 8 |
|
| 9 |
|
| 10 |
> |
| 11 |
> I get that this whole pax-thing embodies a huge part of Gentoo history |
| 12 |
> and it may feel hard for some to let it go. But things are how they are. |
| 13 |
|
| 14 |
I agree, and we'll have it in our history if hardened-sources ever comes |
| 15 |
back. The only machinery we should keep is install-xattrs which grew |
| 16 |
out of the integration of xattr PaX markings but is useful beyond just PaX. |
| 17 |
|
| 18 |
> |
| 19 |
> Regarding the fork states: I followed up on minipli's fork, which |
| 20 |
> tried to maintain newer patches of grsec for LTS kernels, but that |
| 21 |
> essentially stopped after KPTI/meltdown/retpoline. From what I know |
| 22 |
> there's no public grsec patch with kpti or any spectre fixes, thus I |
| 23 |
> would very much say you're safer these days with an upstream kernel. |
| 24 |
> |
| 25 |
|
| 26 |
Correct. I would not use the old hardened-sources or minipli's fork on |
| 27 |
any production server. |
| 28 |
|
| 29 |
> I think the only realistic way this support can be upheld would be if |
| 30 |
> some people who have access to the grsec sources commit to making sure |
| 31 |
> that it is maintained. |
| 32 |
|
| 33 |
Upstream has never responded to any email I sent them. I had a brief |
| 34 |
discussion with spender when the decision came down, and he gave me what |
| 35 |
I interpreted as an "I'm sorry this is going to adversely affect you but |
| 36 |
it has to be this way." |
| 37 |
|
| 38 |
> |
| 39 |
> |
| 40 |
> There's also another question related to this: What's the future for |
| 41 |
> Gentoo hardened? |
| 42 |
> From what I can tell hardened consists of: |
| 43 |
> * the things that try to make it compatible with grsec/pax |
| 44 |
> (more or less obsolete). |
| 45 |
> * things that are now in default profiles anyway (aslr, stack |
| 46 |
> protector). |
| 47 |
> * things that probably should be in default profiles (relro, now linker |
| 48 |
> flags) |
| 49 |
> * -fstack-check, which should eventually be replaced with |
| 50 |
> -fstack-clash-protection (only available in future gcc's) and that |
| 51 |
> should probably also go into default profiles. |
| 52 |
> * Furthermore hardened disables some useful features due to their |
| 53 |
> incompatibility with pax (e.g. sanitizers). |
| 54 |
> |
| 55 |
> So it's stuff that either is obsolete or probably should be a candidate |
| 56 |
> for main profiles. Maybe we should strive for "hardened-by-default". |
| 57 |
> |
| 58 |
|
| 59 |
You're forgetting selinux. Most of Zorry's work has made it into gcc |
| 60 |
and is now being enabled by our default toolchain. Some kernel features |
| 61 |
have also been improved upstream. With upstream carrying a lot of the |
| 62 |
work we did, I think 'hardened-by-default' minus selinux should be the |
| 63 |
goal of Gentoo. |
| 64 |
|
| 65 |
-- |
| 66 |
Anthony G. Basile, Ph.D. |
| 67 |
Gentoo Linux Developer [Hardened] |
| 68 |
E-Mail : blueness@g.o |
| 69 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 70 |
GnuPG ID : F52D4BBA |
Archives