Gentoo Archives: gentoo-hardened

From: Cor Legemaat <cor@××××××.net>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
Date: Mon, 24 Jul 2017 16:47:05
Message-Id: 1500914802.4868.17.camel@cor.za.net
In Reply to: Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream by Javier Juan Martinez Cabezon
1 On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
2 > Have you thought in use other alternative apart grsec as kernel side
3 > solution?, PaX is PaX, its a great loss, but rsbac and selinux has
4 > their
5 > w or x, almost all cpu today has NX bit and reduce the needings of
6 > PageExec/SegmExec, and I think that exists some gcc plugins with PaX
7 > alike functions.
8 >
9 > rsbac has their git public and selinux is in vanilla. Maybe you could
10 > consider to use rsbac git kernel as hardened-sources new kerneland
11 > solution but I have not tested selinux under this kernel
12 >
13 > Under rsbac pax userland is not needed, MPROTECT controls it and can
14 > be
15 > switched individually in kernel land because it is something like a
16 > request under rsbac. Not all functions of PaX, but good enough in my
17 > opinion
18 >
19 > On 23/06/17 18:28, Anthony G. Basile wrote:
20 > >
21 > > Hi everyone,
22 > >
23 > > Since late April, grsecurity upstream has stop making their patches
24 > > available publicly.  Without going into details, the reason for
25 > > their
26 > > decision revolves around disputes about how their patches were
27 > > being
28 > > (ab)used.
29 > >
30 > > Since the grsecurity patch formed the main core of our hardened-
31 > > sources
32 > > kernel, their decision has serious repercussions for the Hardened
33 > > Gentoo
34 > > project.  I will no longer be able to support hardened-sources and
35 > > will
36 > > have to eventually mask and remove it from the tree.
37 > >
38 > > Hardened Gentoo has two sides to it, kernel hardening (done via
39 > > hardened-sources) and toolchain/executable hardening.  The two are
40 > > interrelated but independent enough that toolchain hardening can
41 > > continue on its own.  The hardened kernel, however, provided PaX
42 > > protection for executables and this will be lost.  We did a lot of
43 > > work
44 > > to properly maintain PaX markings in our package management system
45 > > and
46 > > there was no part of Gentoo that wasn't touched by issues stemming
47 > > from
48 > > PaX support.
49 > >
50 > > I waited two months before saying anything because the reasons were
51 > > more
52 > > of a political nature than some technical issue.  At this point, I
53 > > think
54 > > its time to let the community know about the state of affairs with
55 > > hardened-sources.
56 > >
57 > > I can no longer get into the #grsecurity/OFTC channel (nothing
58 > > personal,
59 > > they kicked everyone), and so I have not spoken to spengler or
60 > > pipacs.
61 > > I don't know if they will ever release grsecurity patches again.
62 > >
63 > > My plan then is as follows.  I'll wait one more month and then send
64 > > out
65 > > a news item and later mask hardened-sources for removal.  I don't
66 > > recommend we remove any of the machinery from Gentoo that deals
67 > > with PaX
68 > > markings.
69 > >
70 > > I welcome feedback.
71 > >
72 >
73 >
74
75 How do I play with RSBAC, there is nice wiki pages etc but al the
76 ebuilds are removed from portage?
77
78 Regards:
79 Cor

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Javier Juan Martinez Cabezon <tazok.id0@×××××.com>
Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Jens Kasten <jens@××××××××××.de>