From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0E23E1382C5 for ; Mon, 16 Apr 2018 12:32:11 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F36C8E099E; Mon, 16 Apr 2018 12:32:04 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9FA4BE0970 for ; Mon, 16 Apr 2018 12:32:03 +0000 (UTC) Received: from Anthonys-MacBook-Pro.local (cpe-67-247-195-186.buffalo.res.rr.com [67.247.195.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 3A6DA335C63 for ; Mon, 16 Apr 2018 12:32:02 +0000 (UTC) Subject: Re: [gentoo-dev] Regarding the State of PaX in the tree To: gentoo-dev@lists.gentoo.org References: <8afcc662-4ca4-bf0b-d23a-cba93746ed70@gentoo.org> <20180416111433.7ea80289@pc1> From: "Anthony G. Basile" Openpgp: preference=signencrypt Message-ID: <2d1d9b97-184b-3636-d920-5d1cbadb624e@gentoo.org> Date: Mon, 16 Apr 2018 08:31:59 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <20180416111433.7ea80289@pc1> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: dc0fbb3b-928d-4556-8241-5ebaf6d1759d X-Archives-Hash: 4dc87ab8b995d93775277f2e51e6469a On 4/16/18 5:14 AM, Hanno Böck wrote: > Hi, > > I honestly don't see how it would be feasible to maintain a feature > that the developers maintaining it have access to. I think you're missing a negation in there. Point well taken though. > > I get that this whole pax-thing embodies a huge part of Gentoo history > and it may feel hard for some to let it go. But things are how they are. I agree, and we'll have it in our history if hardened-sources ever comes back. The only machinery we should keep is install-xattrs which grew out of the integration of xattr PaX markings but is useful beyond just PaX. > > Regarding the fork states: I followed up on minipli's fork, which > tried to maintain newer patches of grsec for LTS kernels, but that > essentially stopped after KPTI/meltdown/retpoline. From what I know > there's no public grsec patch with kpti or any spectre fixes, thus I > would very much say you're safer these days with an upstream kernel. > Correct. I would not use the old hardened-sources or minipli's fork on any production server. > I think the only realistic way this support can be upheld would be if > some people who have access to the grsec sources commit to making sure > that it is maintained. Upstream has never responded to any email I sent them. I had a brief discussion with spender when the decision came down, and he gave me what I interpreted as an "I'm sorry this is going to adversely affect you but it has to be this way." > > > There's also another question related to this: What's the future for > Gentoo hardened? > From what I can tell hardened consists of: > * the things that try to make it compatible with grsec/pax > (more or less obsolete). > * things that are now in default profiles anyway (aslr, stack > protector). > * things that probably should be in default profiles (relro, now linker > flags) > * -fstack-check, which should eventually be replaced with > -fstack-clash-protection (only available in future gcc's) and that > should probably also go into default profiles. > * Furthermore hardened disables some useful features due to their > incompatibility with pax (e.g. sanitizers). > > So it's stuff that either is obsolete or probably should be a candidate > for main profiles. Maybe we should strive for "hardened-by-default". > You're forgetting selinux. Most of Zorry's work has made it into gcc and is now being enabled by our default toolchain. Some kernel features have also been improved upstream. With upstream carrying a lot of the work we did, I think 'hardened-by-default' minus selinux should be the goal of Gentoo. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA