From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E48891382C5 for ; Mon, 16 Apr 2018 12:21:00 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A949CE09A8; Mon, 16 Apr 2018 12:20:54 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 5341EE0969 for ; Mon, 16 Apr 2018 12:20:54 +0000 (UTC) Received: from Anthonys-MacBook-Pro.local (cpe-67-247-195-186.buffalo.res.rr.com [67.247.195.186]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: blueness) by smtp.gentoo.org (Postfix) with ESMTPSA id B8F8A335C8C for ; Mon, 16 Apr 2018 12:20:52 +0000 (UTC) Subject: Re: [gentoo-dev] Regarding the State of PaX in the tree To: gentoo-dev@lists.gentoo.org References: <8afcc662-4ca4-bf0b-d23a-cba93746ed70@gentoo.org> <1523858805.1411.3.camel@gentoo.org> <23252.20283.611961.226620@a1i15.kph.uni-mainz.de> From: "Anthony G. Basile" Openpgp: preference=signencrypt Message-ID: Date: Mon, 16 Apr 2018 08:20:50 -0400 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <23252.20283.611961.226620@a1i15.kph.uni-mainz.de> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Archives-Salt: 7499b667-9af3-4cac-ac2f-546c9fd49f7d X-Archives-Hash: 0283ed6004111127e0e575cc912feff1 On 4/16/18 3:22 AM, Ulrich Mueller wrote: >>>>>> On Mon, 16 Apr 2018, Michał Górny wrote: > >> W dniu nie, 15.04.2018 o godzinie 20∶04 -0400, użytkownik >> Anthony G. Basile napisał: >>> The question then is, do we remove all this code? As thing stands, >>> its just lint that serves no current purpose, so removing it would >>> clean things up. The disadvantage is it would be a pita to ever >>> restore it if we ever wanted it back. While upstream doesn't >>> provide their patch for free, some users/companies can purchase the >>> grsecurity patches and still use a custom hardened-sources kernel >>> with Gentoo. But since we haven't been able to test the pax >>> markings/custom patches in about a year, its hard to say how useful >>> that code might still be. > > For Emacs, hardened support was quite a headache in the past, due to > its unexec mechanism; see bugs 285778, 411439, 426394, 456970, 497498, > 515122, 529172, their duplicates, and the upstream bugs linked from > them. We cannot safely assume that any new (hardened kernel, or Emacs) > version will work out of the box. Therefore, I am inclined to either > remove the pax_kernel flag from my ebuilds, or to package.use.mask it > at least, in order to make clear that this is no longer a supported > configuration. > I was thinking particularly of emacs when I wrote this. So now not only do we have those headaches, but no way to maintain them properly. For emacs, I would just remove the pax stuff entirely and if hardened-sources ever comes back, we would then deal accordingly. >> One thing Hardened project should do is make a clear statement to >> other developers -- i.e. indicate whether I should CC hardened@ when >> someone has PaX problems and doesn't provide a patch, or just close >> the bug saying that we can't solve it without a patch. > > I would even go one step further and tell people to sort things out > with upstream. First, because I cannot reasonably upstream patches for > an unsupported configuration that I cannot test. Second, since they > have purchased the grsecurity patches, they should also ask grsecurity > for support. Why should I as an unpaid volunteer spend my time on it? > This pretty much sums up my sentiment. I want to add here that I'm upset with upstream's decision. For years we fixed many userland programs that would otherwise have remained useless with their hardening. I also worked to move the PaX flags from the elf program headers (where it sometimes broke stuff) to the much safer xattrs. grsecurity.net benefited from all this work and then threw us under the bus in their fight with whoever was abusing the license. Most unfair. > Ulrich > -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : blueness@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA