Gentoo Archives: gentoo-dev

From: "Anthony G. Basile" <blueness@g.o>
To: Gentoo Development <gentoo-dev@l.g.o>
Subject: [gentoo-dev] Regarding the State of PaX in the tree
Date: Mon, 16 Apr 2018 00:07:00
1 Hi everyone,
3 Magnus (aka Zorry) and I have been talking about what to do with PaX in
4 the Gentoo tree. A year ago, upstream stopped providing
5 open versions of their patches to the community and this basically
6 brought an end to sys-kernel/hardened-sources. I waited a while before
7 masking the package in the hope that upstream might reconsider. There
8 were also some forks but I didn't have much confidence in them. I'm not
9 sure that any of these forks have been able to keep up past
10 meltdown/specter.
12 It may be time to remove sys-kernel/hardened-sources completely from the
13 tree. Removing the package is easy, but the issue is there is a lot of
14 machinery in the tree that revolves around supporting a PaX kernel.
15 This involves things like setting PaX flags on some executables either
16 by touching the ELF program headers or the file's extended attributes,
17 or applying custom patches.
19 The question then is, do we remove all this code? As thing stands, its
20 just lint that serves no current purpose, so removing it would clean
21 things up. The disadvantage is it would be a pita to ever restore it if
22 we ever wanted it back. While upstream doesn't provide their patch for
23 free, some users/companies can purchase the grsecurity patches and still
24 use a custom hardened-sources kernel with Gentoo. But since we haven't
25 been able to test the pax markings/custom patches in about a year, its
26 hard to say how useful that code might still be.
28 I'm just emailing everyone to get advice.
31 --
32 Anthony G. Basile, Ph.D.
33 Gentoo Linux Developer [Hardened]
34 E-Mail : blueness@g.o
35 GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
36 GnuPG ID : F52D4BBA