From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0B68C1382C5 for ; Mon, 16 Apr 2018 00:07:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9EB79E093A; Mon, 16 Apr 2018 00:04:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 49C61E0932 for ; Mon, 16 Apr 2018 00:04:47 +0000 (UTC) Received: from Anthonys-MacBook-Pro.local (cpe-67-247-195-186.buffalo.res.rr.com [67.247.195.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id 3D103335C2E for ; Mon, 16 Apr 2018 00:04:46 +0000 (UTC) To: Gentoo Development From: "Anthony G. Basile" Subject: [gentoo-dev] Regarding the State of PaX in the tree Openpgp: preference=signencrypt Message-ID: <8afcc662-4ca4-bf0b-d23a-cba93746ed70@gentoo.org> Date: Sun, 15 Apr 2018 20:04:43 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: bbd94acd-8e13-4eb9-ae9a-eee02cc05e6a X-Archives-Hash: 4e05dacc7159703dd12abac9db15608b Hi everyone, Magnus (aka Zorry) and I have been talking about what to do with PaX in the Gentoo tree. A year ago, grsecurity.net upstream stopped providing open versions of their patches to the community and this basically brought an end to sys-kernel/hardened-sources. I waited a while before masking the package in the hope that upstream might reconsider. There were also some forks but I didn't have much confidence in them. I'm not sure that any of these forks have been able to keep up past meltdown/specter. It may be time to remove sys-kernel/hardened-sources completely from the tree. Removing the package is easy, but the issue is there is a lot of machinery in the tree that revolves around supporting a PaX kernel. This involves things like setting PaX flags on some executables either by touching the ELF program headers or the file's extended attributes, or applying custom patches. The question then is, do we remove all this code? As thing stands, its just lint that serves no current purpose, so removing it would clean things up. The disadvantage is it would be a pita to ever restore it if we ever wanted it back. While upstream doesn't provide their patch for free, some users/companies can purchase the grsecurity patches and still use a custom hardened-sources kernel with Gentoo. But since we haven't been able to test the pax markings/custom patches in about a year, its hard to say how useful that code might still be. I'm just emailing everyone to get advice. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA