1 |
Am 24.07.2017 18:46, schrieb Cor Legemaat: |
2 |
> On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote: |
3 |
>> Have you thought in use other alternative apart grsec as kernel side |
4 |
>> solution?, PaX is PaX, its a great loss, but rsbac and selinux has |
5 |
>> their |
6 |
>> w or x, almost all cpu today has NX bit and reduce the needings of |
7 |
>> PageExec/SegmExec, and I think that exists some gcc plugins with PaX |
8 |
>> alike functions. |
9 |
>> |
10 |
>> rsbac has their git public and selinux is in vanilla. Maybe you could |
11 |
>> consider to use rsbac git kernel as hardened-sources new kerneland |
12 |
>> solution but I have not tested selinux under this kernel |
13 |
>> |
14 |
>> Under rsbac pax userland is not needed, MPROTECT controls it and can |
15 |
>> be |
16 |
>> switched individually in kernel land because it is something like a |
17 |
>> request under rsbac. Not all functions of PaX, but good enough in my |
18 |
>> opinion |
19 |
>> |
20 |
>> On 23/06/17 18:28, Anthony G. Basile wrote: |
21 |
>> > |
22 |
>> > Hi everyone, |
23 |
>> > |
24 |
>> > Since late April, grsecurity upstream has stop making their patches |
25 |
>> > available publicly. Without going into details, the reason for |
26 |
>> > their |
27 |
>> > decision revolves around disputes about how their patches were |
28 |
>> > being |
29 |
>> > (ab)used. |
30 |
>> > |
31 |
>> > Since the grsecurity patch formed the main core of our hardened- |
32 |
>> > sources |
33 |
>> > kernel, their decision has serious repercussions for the Hardened |
34 |
>> > Gentoo |
35 |
>> > project. I will no longer be able to support hardened-sources and |
36 |
>> > will |
37 |
>> > have to eventually mask and remove it from the tree. |
38 |
>> > |
39 |
>> > Hardened Gentoo has two sides to it, kernel hardening (done via |
40 |
>> > hardened-sources) and toolchain/executable hardening. The two are |
41 |
>> > interrelated but independent enough that toolchain hardening can |
42 |
>> > continue on its own. The hardened kernel, however, provided PaX |
43 |
>> > protection for executables and this will be lost. We did a lot of |
44 |
>> > work |
45 |
>> > to properly maintain PaX markings in our package management system |
46 |
>> > and |
47 |
>> > there was no part of Gentoo that wasn't touched by issues stemming |
48 |
>> > from |
49 |
>> > PaX support. |
50 |
>> > |
51 |
>> > I waited two months before saying anything because the reasons were |
52 |
>> > more |
53 |
>> > of a political nature than some technical issue. At this point, I |
54 |
>> > think |
55 |
>> > its time to let the community know about the state of affairs with |
56 |
>> > hardened-sources. |
57 |
>> > |
58 |
>> > I can no longer get into the #grsecurity/OFTC channel (nothing |
59 |
>> > personal, |
60 |
>> > they kicked everyone), and so I have not spoken to spengler or |
61 |
>> > pipacs. |
62 |
>> > I don't know if they will ever release grsecurity patches again. |
63 |
>> > |
64 |
>> > My plan then is as follows. I'll wait one more month and then send |
65 |
>> > out |
66 |
>> > a news item and later mask hardened-sources for removal. I don't |
67 |
>> > recommend we remove any of the machinery from Gentoo that deals |
68 |
>> > with PaX |
69 |
>> > markings. |
70 |
>> > |
71 |
>> > I welcome feedback. |
72 |
>> > |
73 |
>> |
74 |
>> |
75 |
> |
76 |
> How do I play with RSBAC, there is nice wiki pages etc but al the |
77 |
> ebuilds are removed from portage? |
78 |
> |
79 |
> Regards: |
80 |
> Cor |
81 |
|
82 |
Hi, |
83 |
|
84 |
https://bitbucket.org/igraltist/kiste |
85 |
|
86 |
this is my private overlay but there is a rsbac-admin ebuild |
87 |
|
88 |
Jens |