Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Joshua Kinard <kumba@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
Date: Mon, 26 Jun 2017 14:28:26
Message-Id: b752ab8b-0d7b-c38c-eb40-be2e12bf1ba2@gentoo.org
In Reply to: Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream by Luis Ressel
1 On 06/26/2017 09:15, Luis Ressel wrote:
2 > On Sun, 25 Jun 2017 23:47:48 -0400
3 > Joshua Kinard <kumba@g.o> wrote:
4 >
5 >> Safe for now to just switch to gentoo-sources while retaining hardened
6 >> toolchain? Or would there be a few additional steps needed? I only
7 >> use PaX for mprotect() and the ALSR capabilities, though I suspect
8 >> those might be in the standard sauce by now. As such, I haven't had
9 >> to deal with userland issues and PaX too much over the years.
10 >
11 > A full rebuild shouldn't be neccessary after a switch to gentoo-sources
12 > or vanilla-sources. At least, I can't think of any reason why it would,
13 > and I haven't encountered any problems after switching on my own hosts.
14 >
15 > Just keep in mind that vanilla-sources doesn't support the PaX xattrs
16 > properly (AFAIR), so if you ever want to switch *back* from vanilla to
17 > hardened, some pax markings will be missing. This shouldn't be an issue
18 > for gentoo-sources, though.
19 >
20 > Cheers,
21 > Luis Ressel
22 >
23
24 The machine needs a full rebuild just to "freshen" it up. Current install is
25 going on 6-7+ years, at least three different motherboard/CPU cycles, and the
26 SATA drives are pushing 8+ years old at this point in that machine. The same
27 drives were previously in my desktop machine between ~2006-2008, so they've had
28 a *great* run for spinning rust. I've got new'ish replacement drives and a new
29 drive bay recently arrived, so the grsecurity mess was the straw that broke the
30 proverbial camel's back.
31
32 Just a matter of getting the needed downtime to move data off,
33 rebuild/reinstall everything, move stuff back, and check for broken bits.
34 Until then, I wasn't sure if switching to gentoo-sources would have any
35 side-effects with the hardened userland to get to a newer kernel.
36
37 --
38 Joshua Kinard
39 Gentoo/MIPS
40 kumba@g.o
41 6144R/F5C6C943 2015-04-27
42 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943
43
44 "The past tempts us, the present confuses us, the future frightens us. And our
45 lives slip away, moment by moment, lost in that vast, terrible in-between."
46
47 --Emperor Turhan, Centauri Republic
Report Message
Find on MARC Find on Google Groups