| 1 |
Am 24.07.2017 18:46, schrieb Cor Legemaat: |
| 2 |
> On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote: |
| 3 |
>> Have you thought in use other alternative apart grsec as kernel side |
| 4 |
>> solution?, PaX is PaX, its a great loss, but rsbac and selinux has |
| 5 |
>> their |
| 6 |
>> w or x, almost all cpu today has NX bit and reduce the needings of |
| 7 |
>> PageExec/SegmExec, and I think that exists some gcc plugins with PaX |
| 8 |
>> alike functions. |
| 9 |
>> |
| 10 |
>> rsbac has their git public and selinux is in vanilla. Maybe you could |
| 11 |
>> consider to use rsbac git kernel as hardened-sources new kerneland |
| 12 |
>> solution but I have not tested selinux under this kernel |
| 13 |
>> |
| 14 |
>> Under rsbac pax userland is not needed, MPROTECT controls it and can |
| 15 |
>> be |
| 16 |
>> switched individually in kernel land because it is something like a |
| 17 |
>> request under rsbac. Not all functions of PaX, but good enough in my |
| 18 |
>> opinion |
| 19 |
>> |
| 20 |
>> On 23/06/17 18:28, Anthony G. Basile wrote: |
| 21 |
>> > |
| 22 |
>> > Hi everyone, |
| 23 |
>> > |
| 24 |
>> > Since late April, grsecurity upstream has stop making their patches |
| 25 |
>> > available publicly. Without going into details, the reason for |
| 26 |
>> > their |
| 27 |
>> > decision revolves around disputes about how their patches were |
| 28 |
>> > being |
| 29 |
>> > (ab)used. |
| 30 |
>> > |
| 31 |
>> > Since the grsecurity patch formed the main core of our hardened- |
| 32 |
>> > sources |
| 33 |
>> > kernel, their decision has serious repercussions for the Hardened |
| 34 |
>> > Gentoo |
| 35 |
>> > project. I will no longer be able to support hardened-sources and |
| 36 |
>> > will |
| 37 |
>> > have to eventually mask and remove it from the tree. |
| 38 |
>> > |
| 39 |
>> > Hardened Gentoo has two sides to it, kernel hardening (done via |
| 40 |
>> > hardened-sources) and toolchain/executable hardening. The two are |
| 41 |
>> > interrelated but independent enough that toolchain hardening can |
| 42 |
>> > continue on its own. The hardened kernel, however, provided PaX |
| 43 |
>> > protection for executables and this will be lost. We did a lot of |
| 44 |
>> > work |
| 45 |
>> > to properly maintain PaX markings in our package management system |
| 46 |
>> > and |
| 47 |
>> > there was no part of Gentoo that wasn't touched by issues stemming |
| 48 |
>> > from |
| 49 |
>> > PaX support. |
| 50 |
>> > |
| 51 |
>> > I waited two months before saying anything because the reasons were |
| 52 |
>> > more |
| 53 |
>> > of a political nature than some technical issue. At this point, I |
| 54 |
>> > think |
| 55 |
>> > its time to let the community know about the state of affairs with |
| 56 |
>> > hardened-sources. |
| 57 |
>> > |
| 58 |
>> > I can no longer get into the #grsecurity/OFTC channel (nothing |
| 59 |
>> > personal, |
| 60 |
>> > they kicked everyone), and so I have not spoken to spengler or |
| 61 |
>> > pipacs. |
| 62 |
>> > I don't know if they will ever release grsecurity patches again. |
| 63 |
>> > |
| 64 |
>> > My plan then is as follows. I'll wait one more month and then send |
| 65 |
>> > out |
| 66 |
>> > a news item and later mask hardened-sources for removal. I don't |
| 67 |
>> > recommend we remove any of the machinery from Gentoo that deals |
| 68 |
>> > with PaX |
| 69 |
>> > markings. |
| 70 |
>> > |
| 71 |
>> > I welcome feedback. |
| 72 |
>> > |
| 73 |
>> |
| 74 |
>> |
| 75 |
> |
| 76 |
> How do I play with RSBAC, there is nice wiki pages etc but al the |
| 77 |
> ebuilds are removed from portage? |
| 78 |
> |
| 79 |
> Regards: |
| 80 |
> Cor |
| 81 |
|
| 82 |
Hi, |
| 83 |
|
| 84 |
https://bitbucket.org/igraltist/kiste |
| 85 |
|
| 86 |
this is my private overlay but there is a rsbac-admin ebuild |
| 87 |
|
| 88 |
Jens |
Archives