From: Miroslav Rovis <miro.rovis@croatiafidelis.hr>
To: Mathias Krause <minipli@googlemail.com>
Cc: gentoo-hardened@lists.gentoo.org, Luis Ressel <aranea@aixah.de>
Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal
Date: Mon, 8 May 2017 22:49:12 +0200 [thread overview]
Message-ID: <20170508204912.GA15294@g0n.xdwgrp> (raw)
In-Reply-To: <CA+rthh99+ixNwpTWjMCc3ksSGzP-=CzaJj7fS1HF7UKWmV5ZKw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 3690 bytes --]
(thanks also to Luis Ressel for clarifications in the other email)
(I'm only top posting because this reply of mine has no particularities
to place it btwn any lines further below. Otherwise, I don't top post.)
Mathias, I only wish to thank you for the quick reply and the tips
below. And all my hopes are in you and your team/your contributors
(I'm sure there will be great libre people congregating on
linux-unofficial_grsec these days and weeks ahead, and longer). Make it
as libre as possible! Keep fixing the kernel that Mr Linux wouldn't make
secure... Yes, he and his comrades from big business caused this rift.
I don't blame spender and PaX Team either....
And about ebuild making, I'll try my best and if I don't break apart in
unsuccessful trying, I'll be back with an ebuild to discuss. Or if
anybody from Gentoo hardened cares, they can teach us how to do the
Gentoo details.
(no more new text, only my signature in bottom)
On 170508-22:07+0200, Mathias Krause wrote:
> On 8 May 2017 at 20:08, Miroslav Rovis <miro.rovis@croatiafidelis.hr> wrote:
> > [...]
> > But I saw the other link that gives me some hope:
> >
> > Unofficial forward ports of the last publicly available grsecurity patch
> > https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec
> >
> > which I cloned into my machine. (And I have just spent hours trying to
> > fix an ebuild in my custom overlay and install it in my machine, to no
> > avail so far, and I'm at the end of my forbearance... A little more below.)
> >
> > And I wonder:
> >
> > 1) Are there any guides for non-programmers how to install the:
> >
> > Merge tag 'v4.9.26' into linux-4.9.x-unofficial_grsec
> > https://github.com/minipli/linux-unofficial_grsec/commit/bb9fb983874810ca4167430508e06975af700824?diff=unified
>
> See below.
>
> > [...]
> >
> > 2) How can I check the integrity? I can:
>
> You figured that one already ;)
>
> > [...]
> > The README.md is plain readme from the kernel, no mention of grsec at
> > all...
>
> ...as it used to be the case for the official grsec patch. So nothing
> has changed here. ;) But I can understand your concerns. If you're
> used to getting a patch and have to use a git repo now, it's not
> intuitive on *how* to make use of it. But, again, see below...
>
> >
> > Where do I get some tips how to install? I do have the git sources, they
> > verify fine... I will, hopefully, keep strong and keep trying, but I'm
> > not so very sure I am able to craft an ebuild that would work and that
> > would install with the local git linux-unofficial_grsec repo...
>
> I'm not familiar with the gentoo ebuild based package system but I
> guess patches integrate more smoothly than git repositories do. So
> here's how you generate a patch for the unofficial port for v4.9.27
> (just pushed ;):
>
> $ git remote update
> [update log foo]
> $ git diff v4.9.27..v4.9.27-unofficial_grsec > ~/unofficial_grsec-v4.9.27.diff
>
> If you don't want to clone the git repo you can fetch the patch
> directly via the github web interface:
>
> $ curl https://github.com/minipli/linux-unofficial_grsec/compare/v4.9.27...v4.9.27-unofficial_grsec.diff
> > ~/unofficial_grsec-v4.9.27.diff
>
> The pattern should be intuitive: just change "v4.9.27" for the kernel
> version you want to get a patch for (v4.9.25 to v4.9.27 so far).
>
> The generated patch can be applied on a vanilla Linux v4.9.27 as usual
> to generate the unofficial grsec kernel.
>
> I hope this helps!
>
> Cheers,
> Mathias
Regards!
--
Miroslav Rovis
Zagreb, Croatia
https://www.CroatiaFidelis.hr
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-05-08 20:52 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 9:38 [gentoo-hardened] Technical repercussions of grsecurity removal Sven Vermeulen
2017-05-01 9:50 ` Sven Vermeulen
2017-05-01 10:24 ` Daniel Cegiełka
2017-05-01 11:00 ` Andrew Savchenko
2017-05-01 12:25 ` Daniel Cegiełka
2017-05-01 10:28 ` Andrew Savchenko
2017-05-01 13:58 ` Sven Vermeulen
2017-05-01 14:20 ` SK
2017-05-01 14:53 ` Daniel Cegiełka
2017-05-01 15:21 ` SK
2017-05-02 8:28 ` Daniel Cegiełka
2017-05-08 18:08 ` Miroslav Rovis
2017-05-08 18:57 ` Luis Ressel
2017-05-08 20:07 ` Mathias Krause
2017-05-08 20:49 ` Miroslav Rovis [this message]
2017-05-08 23:31 ` Miroslav Rovis
2017-05-09 14:28 ` [gentoo-hardened] Unofficial grsec kernel install WAS: " Miroslav Rovis
2017-05-08 21:12 ` [gentoo-hardened] " Andrew Savchenko
2017-05-12 19:10 ` "Tóth Attila"
2017-05-12 23:38 ` Alex Efros
2017-05-13 0:17 ` Max R.D. Parmer
2017-05-02 15:28 ` Luis Ressel
2017-05-02 15:56 ` Daniel Cegiełka
2017-05-02 16:02 ` Luis Ressel
2017-05-02 16:59 ` Daniel Cegiełka
2017-05-02 17:23 ` "Tóth Attila"
2017-05-02 19:58 ` Daniel Cegiełka
2017-05-02 20:41 ` Alex Efros
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170508204912.GA15294@g0n.xdwgrp \
--to=miro.rovis@croatiafidelis.hr \
--cc=aranea@aixah.de \
--cc=gentoo-hardened@lists.gentoo.org \
--cc=minipli@googlemail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox