Gentoo Archives: gentoo-dev

From: "Hanno Böck" <hanno@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Regarding the State of PaX in the tree
Date: Mon, 16 Apr 2018 09:14:50
Message-Id: 20180416111433.7ea80289@pc1
In Reply to: [gentoo-dev] Regarding the State of PaX in the tree by "Anthony G. Basile"
Hi,

I honestly don't see how it would be feasible to maintain a feature
that the developers maintaining it have access to.

I get that this whole pax-thing embodies a huge part of Gentoo history
and it may feel hard for some to let it go. But things are how they are.

Regarding the fork states: I followed up on minipli's fork, which
tried to maintain newer patches of grsec for LTS kernels, but that
essentially stopped after KPTI/meltdown/retpoline. From what I know
there's no public grsec patch with kpti or any spectre fixes, thus I
would very much say you're safer these days with an upstream kernel.

I think the only realistic way this support can be upheld would be if
some people who have access to the grsec sources commit to making sure
that it is maintained.


There's also another question related to this: What's the future for
Gentoo hardened?
From what I can tell hardened consists of:
* the things that try to make it compatible with grsec/pax
  (more or less obsolete).
* things that are now in default profiles anyway (aslr, stack
  protector).
* things that probably should be in default profiles (relro, now linker
  flags)
* -fstack-check, which should eventually be replaced with
  -fstack-clash-protection (only available in future gcc's) and that
  should probably also go into default profiles.
* Furthermore hardened disables some useful features due to their
  incompatibility with pax (e.g. sanitizers).

So it's stuff that either is obsolete or probably should be a candidate
for main profiles. Maybe we should strive for "hardened-by-default".

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@××××××.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Replies

Subject Author
Re: [gentoo-dev] Regarding the State of PaX in the tree "Anthony G. Basile" <blueness@g.o>
Re: [gentoo-dev] Regarding the State of PaX in the tree "Toralf Förster" <toralf@g.o>