1 |
Hi everyone, |
2 |
|
3 |
Magnus (aka Zorry) and I have been talking about what to do with PaX in |
4 |
the Gentoo tree. A year ago, grsecurity.net upstream stopped providing |
5 |
open versions of their patches to the community and this basically |
6 |
brought an end to sys-kernel/hardened-sources. I waited a while before |
7 |
masking the package in the hope that upstream might reconsider. There |
8 |
were also some forks but I didn't have much confidence in them. I'm not |
9 |
sure that any of these forks have been able to keep up past |
10 |
meltdown/specter. |
11 |
|
12 |
It may be time to remove sys-kernel/hardened-sources completely from the |
13 |
tree. Removing the package is easy, but the issue is there is a lot of |
14 |
machinery in the tree that revolves around supporting a PaX kernel. |
15 |
This involves things like setting PaX flags on some executables either |
16 |
by touching the ELF program headers or the file's extended attributes, |
17 |
or applying custom patches. |
18 |
|
19 |
The question then is, do we remove all this code? As thing stands, its |
20 |
just lint that serves no current purpose, so removing it would clean |
21 |
things up. The disadvantage is it would be a pita to ever restore it if |
22 |
we ever wanted it back. While upstream doesn't provide their patch for |
23 |
free, some users/companies can purchase the grsecurity patches and still |
24 |
use a custom hardened-sources kernel with Gentoo. But since we haven't |
25 |
been able to test the pax markings/custom patches in about a year, its |
26 |
hard to say how useful that code might still be. |
27 |
|
28 |
I'm just emailing everyone to get advice. |
29 |
|
30 |
|
31 |
-- |
32 |
Anthony G. Basile, Ph.D. |
33 |
Gentoo Linux Developer [Hardened] |
34 |
E-Mail : blueness@g.o |
35 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
36 |
GnuPG ID : F52D4BBA |