Re: [gentoo-dev] Regarding the State of PaX in the tree

[Francesco Riosa <vivo75@gmail.com>]

Il 16/04/2018 14:31, Anthony G. Basile ha scritto:
> On 4/16/18 5:14 AM, Hanno Böck wrote:
[snip]
>
>>
>> There's also another question related to this: What's the future for
>> Gentoo hardened?
>> From what I can tell hardened consists of:
>> * the things that try to make it compatible with grsec/pax
>>   (more or less obsolete).
>> * things that are now in default profiles anyway (aslr, stack
>>   protector).
>> * things that probably should be in default profiles (relro, now linker
>>   flags)
>> * -fstack-check, which should eventually be replaced with
>>   -fstack-clash-protection (only available in future gcc's) and that
>>   should probably also go into default profiles.
>> * Furthermore hardened disables some useful features due to their
>>   incompatibility with pax (e.g. sanitizers).
>>
>> So it's stuff that either is obsolete or probably should be a candidate
>> for main profiles. Maybe we should strive for "hardened-by-default".
>>
> You're forgetting selinux.  Most of Zorry's work has made it into gcc
> and is now being enabled by our default toolchain.  Some kernel features
> have also been improved upstream.  With upstream carrying a lot of the
> work we did, I think 'hardened-by-default' minus selinux should be the
> goal of Gentoo.
>
Hardened had strong impact in some workflows, surpassing 10%.
Overhead could be acceptable in some situation but unwanted in others,
main profiles are obscure and difficult to change for most.
For this reason I'd like to ask to carefully evaluate if a security
feature can be enabled without suddently change the behaviour (worse
performances) of a machine running Gentoo.
Instead it would be good to have a guide on how to further harden any
profile.
If the hardening at any cost argument wins however we MUST have a guide
on ho to disable at least the most impactful options.