1 |
Have you thought in use other alternative apart grsec as kernel side |
2 |
solution?, PaX is PaX, its a great loss, but rsbac and selinux has their |
3 |
w or x, almost all cpu today has NX bit and reduce the needings of |
4 |
PageExec/SegmExec, and I think that exists some gcc plugins with PaX |
5 |
alike functions. |
6 |
|
7 |
rsbac has their git public and selinux is in vanilla. Maybe you could |
8 |
consider to use rsbac git kernel as hardened-sources new kerneland |
9 |
solution but I have not tested selinux under this kernel |
10 |
|
11 |
Under rsbac pax userland is not needed, MPROTECT controls it and can be |
12 |
switched individually in kernel land because it is something like a |
13 |
request under rsbac. Not all functions of PaX, but good enough in my opinion |
14 |
|
15 |
On 23/06/17 18:28, Anthony G. Basile wrote: |
16 |
> Hi everyone, |
17 |
> |
18 |
> Since late April, grsecurity upstream has stop making their patches |
19 |
> available publicly. Without going into details, the reason for their |
20 |
> decision revolves around disputes about how their patches were being |
21 |
> (ab)used. |
22 |
> |
23 |
> Since the grsecurity patch formed the main core of our hardened-sources |
24 |
> kernel, their decision has serious repercussions for the Hardened Gentoo |
25 |
> project. I will no longer be able to support hardened-sources and will |
26 |
> have to eventually mask and remove it from the tree. |
27 |
> |
28 |
> Hardened Gentoo has two sides to it, kernel hardening (done via |
29 |
> hardened-sources) and toolchain/executable hardening. The two are |
30 |
> interrelated but independent enough that toolchain hardening can |
31 |
> continue on its own. The hardened kernel, however, provided PaX |
32 |
> protection for executables and this will be lost. We did a lot of work |
33 |
> to properly maintain PaX markings in our package management system and |
34 |
> there was no part of Gentoo that wasn't touched by issues stemming from |
35 |
> PaX support. |
36 |
> |
37 |
> I waited two months before saying anything because the reasons were more |
38 |
> of a political nature than some technical issue. At this point, I think |
39 |
> its time to let the community know about the state of affairs with |
40 |
> hardened-sources. |
41 |
> |
42 |
> I can no longer get into the #grsecurity/OFTC channel (nothing personal, |
43 |
> they kicked everyone), and so I have not spoken to spengler or pipacs. |
44 |
> I don't know if they will ever release grsecurity patches again. |
45 |
> |
46 |
> My plan then is as follows. I'll wait one more month and then send out |
47 |
> a news item and later mask hardened-sources for removal. I don't |
48 |
> recommend we remove any of the machinery from Gentoo that deals with PaX |
49 |
> markings. |
50 |
> |
51 |
> I welcome feedback. |
52 |
> |