From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AB8571382C5 for ; Mon, 16 Apr 2018 01:25:19 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D3D5DE0958; Mon, 16 Apr 2018 01:25:13 +0000 (UTC) Received: from mail-lf0-x242.google.com (mail-lf0-x242.google.com [IPv6:2a00:1450:4010:c07::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 46BBCE094E for ; Mon, 16 Apr 2018 01:25:13 +0000 (UTC) Received: by mail-lf0-x242.google.com with SMTP id m202-v6so2410164lfe.8 for ; Sun, 15 Apr 2018 18:25:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=rH6qjiBIob+TL813U0uP051F5/bBA6HtkYC7TgF9MFI=; b=TaXD+VRU5LRYgoYld779SzRhu8vwy6nh3AGbwOkJjyAEDop/UZfYpVzwZVN/p0gx46 h7AOo4sbbCLoKgdkKxxfhIfy4hmTQyTwEw/gIOjLRqmztVdnk6jrv/aXJicdtxSVGMec cjFV1M56l0c3aIpPXgvnZnn9UtH6H8ijs4mfk0yUI39SeMCFRBxvcIadYzJNZqO8P3g8 qQeneD40ZGRAVKl9sJb6LOWGeXBPJGQ+f2qouUvQBFp/PMrS7Y6A97S29G/alUXz5rvF nW1PAEFoESAihfxclq43Zof/UQNbuo6nsDh9wixU0cAjg84cEHZPw5Z8w0K2kLQTET05 OK9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=rH6qjiBIob+TL813U0uP051F5/bBA6HtkYC7TgF9MFI=; b=aIFAbAdGZQrFIlK2UQy1rg+PJPTzpbpjRb8SkwA0fjA1eKfZFAf0UGGoPqb1k7wNXV 7vpSKA38q7tROH1NFUP7LM3XefsjQXIDzJDW7WNv6hAAYcs3pyP/BThwtK4ikejGGefl wsWLculuLnvirc1k9obdL3vQJk7gwCuGVVUq7PHa1aF9hxXkb6OooIfaw7v1wlMoxCMd HdT+DwNlZxY92wmzSOYXVi3n0oTknh911vqlNo8XqiQd9wJ5sSHJTbquyJbMRg61QRaI vR4gOKIJYBVNcw+jL3zSYKnp8UmyEkh8OClqk9XT+ApTNX2HuxAhcMbt0B7xQZjpoYoo qR3A== X-Gm-Message-State: ALQs6tAU8+zGyX8rX2SvxtMQbUt14BhXgmQsUMel3xcDu93b79MTk3Hw zDCMrELFdhHIyLF/XTD2Uj5dUiobnORCA02zVHs= X-Google-Smtp-Source: AIpwx4+9lahtfYTzryiuG03piSoteoi3cThOtgC4denS+G8XNwquuEd+gKjmso3pVvaPsOfI+SFdfjX4PIVrZ4su3hs= X-Received: by 2002:a19:1d12:: with SMTP id d18-v6mr12967827lfd.128.1523841911115; Sun, 15 Apr 2018 18:25:11 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.46.135.212 with HTTP; Sun, 15 Apr 2018 18:25:10 -0700 (PDT) In-Reply-To: <8afcc662-4ca4-bf0b-d23a-cba93746ed70@gentoo.org> References: <8afcc662-4ca4-bf0b-d23a-cba93746ed70@gentoo.org> From: R0b0t1 Date: Sun, 15 Apr 2018 20:25:10 -0500 Message-ID: Subject: Re: [gentoo-dev] Regarding the State of PaX in the tree To: gentoo-dev@lists.gentoo.org, blueness@gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: aadf8c34-1a1c-4c8c-8623-97d33e30a46c X-Archives-Hash: 69aa14a1651e99ed3753beb291efc570 On Sun, Apr 15, 2018 at 7:04 PM, Anthony G. Basile wrote: > Hi everyone, > > Magnus (aka Zorry) and I have been talking about what to do with PaX in > the Gentoo tree. A year ago, grsecurity.net upstream stopped providing > open versions of their patches to the community and this basically > brought an end to sys-kernel/hardened-sources. I waited a while before > masking the package in the hope that upstream might reconsider. There > were also some forks but I didn't have much confidence in them. I'm not > sure that any of these forks have been able to keep up past > meltdown/specter. > > It may be time to remove sys-kernel/hardened-sources completely from the > tree. Removing the package is easy, but the issue is there is a lot of > machinery in the tree that revolves around supporting a PaX kernel. > This involves things like setting PaX flags on some executables either > by touching the ELF program headers or the file's extended attributes, > or applying custom patches. > > The question then is, do we remove all this code? As thing stands, its > just lint that serves no current purpose, so removing it would clean > things up. The disadvantage is it would be a pita to ever restore it if > we ever wanted it back. While upstream doesn't provide their patch for > free, some users/companies can purchase the grsecurity patches and still > use a custom hardened-sources kernel with Gentoo. But since we haven't > been able to test the pax markings/custom patches in about a year, its > hard to say how useful that code might still be. > > I'm just emailing everyone to get advice. > I retain hope that compatible features will be added to the kernel. Consequently, I would appreciate if the machinery can be left. If it becomes a maintenance burden in the future I suspect that would be a good time to remove it. Cheers, R0b0t1