1 |
On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote: |
2 |
> Have you thought in use other alternative apart grsec as kernel side |
3 |
> solution?, PaX is PaX, its a great loss, but rsbac and selinux has |
4 |
> their |
5 |
> w or x, almost all cpu today has NX bit and reduce the needings of |
6 |
> PageExec/SegmExec, and I think that exists some gcc plugins with PaX |
7 |
> alike functions. |
8 |
> |
9 |
> rsbac has their git public and selinux is in vanilla. Maybe you could |
10 |
> consider to use rsbac git kernel as hardened-sources new kerneland |
11 |
> solution but I have not tested selinux under this kernel |
12 |
> |
13 |
> Under rsbac pax userland is not needed, MPROTECT controls it and can |
14 |
> be |
15 |
> switched individually in kernel land because it is something like a |
16 |
> request under rsbac. Not all functions of PaX, but good enough in my |
17 |
> opinion |
18 |
> |
19 |
> On 23/06/17 18:28, Anthony G. Basile wrote: |
20 |
> > |
21 |
> > Hi everyone, |
22 |
> > |
23 |
> > Since late April, grsecurity upstream has stop making their patches |
24 |
> > available publicly. Without going into details, the reason for |
25 |
> > their |
26 |
> > decision revolves around disputes about how their patches were |
27 |
> > being |
28 |
> > (ab)used. |
29 |
> > |
30 |
> > Since the grsecurity patch formed the main core of our hardened- |
31 |
> > sources |
32 |
> > kernel, their decision has serious repercussions for the Hardened |
33 |
> > Gentoo |
34 |
> > project. I will no longer be able to support hardened-sources and |
35 |
> > will |
36 |
> > have to eventually mask and remove it from the tree. |
37 |
> > |
38 |
> > Hardened Gentoo has two sides to it, kernel hardening (done via |
39 |
> > hardened-sources) and toolchain/executable hardening. The two are |
40 |
> > interrelated but independent enough that toolchain hardening can |
41 |
> > continue on its own. The hardened kernel, however, provided PaX |
42 |
> > protection for executables and this will be lost. We did a lot of |
43 |
> > work |
44 |
> > to properly maintain PaX markings in our package management system |
45 |
> > and |
46 |
> > there was no part of Gentoo that wasn't touched by issues stemming |
47 |
> > from |
48 |
> > PaX support. |
49 |
> > |
50 |
> > I waited two months before saying anything because the reasons were |
51 |
> > more |
52 |
> > of a political nature than some technical issue. At this point, I |
53 |
> > think |
54 |
> > its time to let the community know about the state of affairs with |
55 |
> > hardened-sources. |
56 |
> > |
57 |
> > I can no longer get into the #grsecurity/OFTC channel (nothing |
58 |
> > personal, |
59 |
> > they kicked everyone), and so I have not spoken to spengler or |
60 |
> > pipacs. |
61 |
> > I don't know if they will ever release grsecurity patches again. |
62 |
> > |
63 |
> > My plan then is as follows. I'll wait one more month and then send |
64 |
> > out |
65 |
> > a news item and later mask hardened-sources for removal. I don't |
66 |
> > recommend we remove any of the machinery from Gentoo that deals |
67 |
> > with PaX |
68 |
> > markings. |
69 |
> > |
70 |
> > I welcome feedback. |
71 |
> > |
72 |
> |
73 |
> |
74 |
|
75 |
How do I play with RSBAC, there is nice wiki pages etc but al the |
76 |
ebuilds are removed from portage? |
77 |
|
78 |
Regards: |
79 |
Cor |