From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 9309D139694 for ; Mon, 8 May 2017 18:09:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8901C21C080; Mon, 8 May 2017 18:09:53 +0000 (UTC) Received: from alt1.smtp6.plusvps.com (alt1.smtp6.plusvps.com [89.201.164.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3E4FC21C06B for ; Mon, 8 May 2017 18:09:52 +0000 (UTC) Received: from lin22.mojsite.com ([178.218.165.68]) by smtp6.plusvps.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1d7n6T-0005qT-Oh for gentoo-hardened@lists.gentoo.org; Mon, 08 May 2017 20:09:49 +0200 Received: from 93-142-102-179.adsl.net.t-com.hr ([93.142.102.179]:45724 helo=g0n.localdomain) by lin22.mojsite.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.88) (envelope-from ) id 1d7n6N-003VkR-DT; Mon, 08 May 2017 20:09:43 +0200 Received: by g0n.localdomain (Postfix, from userid 1000) id 13D1B7C2; Mon, 8 May 2017 20:08:08 +0200 (CEST) Date: Mon, 8 May 2017 20:08:07 +0200 From: Miroslav Rovis To: gentoo-hardened@lists.gentoo.org Cc: minipli@googlemail.com Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal Message-ID: <20170508180807.GA18570@g0n.xdwgrp> References: <20170501093843.GA927@gentoo.org> <20170501132854.98400aa781d29f13457dacd1@gentoo.org> <20170501135808.GA644@gentoo.org> <29deca69-e059-feaf-a312-b0ae53e9610a@riseup.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.2 (2017-04-18) X-PlusHosting-MailScanner: Found to be clean, Found to be clean X-PlusHosting-MailScanner-SpamCheck: X-Spam-Status: No, No X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - lin22.mojsite.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - croatiafidelis.hr X-Get-Message-Sender-Via: lin22.mojsite.com: authenticated_id: miro.rovis@croatiafidelis.hr X-Authenticated-Sender: lin22.mojsite.com: miro.rovis@croatiafidelis.hr X-Source: X-Source-Args: X-Source-Dir: X-PlusHosting-MailScanner-Information: Please contact the ISP for more information X-PlusHosting-MailScanner-ID: 1d7n6T-0005qT-Oh X-PlusHosting-MailScanner-From: miro.rovis@croatiafidelis.hr X-Archives-Salt: 5dcc18e3-8909-4f97-a0b9-cbd71390fdce X-Archives-Hash: f647073e4baaf68c3c24e27f6c0b3ae6 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 170502-10:28+0200, Daniel Cegie=C5=82ka wrote: > https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project >=20 > It closes the topic of our discussion. >=20 And I read all the discussion in gentoo-hardened in regard. First, I'm a user[1], and I'm trying to continue to keep safe and secure as I used to be with grsec/PaX. I figured out only yesterday about this almost two weeks old news, and I guess the then 10+ days old (slightly) unmaintained kernel 4.9.24-hardened (and there won't be any updates, correct?), may have contributed to my woes[2]: # ls -ABRgo /usr/portage/sys-kernel/hardened-sources/ =2E.. -rw-r--r-- 1 47449 2016-12-17 02:21 ChangeLog =2E.. -rw-r--r-- 1 1316 2017-04-22 18:18 hardened-sources-4.9.24.ebuild =2E.. # And really since late in 2016 no more entries in the Changelog. Pls. note that I'm only stating the facts, not complaining. I really wish I learn myself and be able to contribute; acually I have occasinally contributed, marginally, to the hardened project, with testing. > worth reading: >=20 > http://openwall.com/lists/kernel-hardening/2017/05/01/5 >=20 > http://openwall.com/lists/kernel-hardening/2017/05/02/4 And these should not be missed: It looks like there will be no more public versions of PaX and Grsec http://openwall.com/lists/kernel-hardening/2017/05/04/20 ( Shawn's collection of links there are an eye-opener, esp. this one link which, to me, feels like sacrilege: https://mjg59.dreamwidth.org/39546.html about Karen Sandler, the executive director of the Software Freedom Conservancy, by sly means prevented to stand for LF board ) and: < same subject > http://openwall.com/lists/kernel-hardening/2017/05/02/14 ( where find what "is... unappealing." ) > this means: >=20 > * KSPP means that keeping PaX for >4.9 will be difficult and painful, > as I pointed out previously > * NSA SELinux instead PAX MPROTECT? I hope this is a joke. It looks like one, at first sight, but there are half a dozen "NSA SELinux" instances to be found in the latest hardened-sources. # grep 'NSA SE' /usr/src/linux/security/selinux/Kconfig=20 bool "NSA SELinux Support" ... # (where linux is a hardened-sources installation) If hardened would be down to SELinux, I wouldn't be hardening any more. > alternatives: RSBAC >=20 =2E.. But I saw the other link that gives me some hope: Unofficial forward ports of the last publicly available grsecurity patch https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unoffici= al_grsec which I cloned into my machine. (And I have just spent hours trying to fix an ebuild in my custom overlay and install it in my machine, to no avail so far, and I'm at the end of my forbearance... A little more below.) And I wonder: 1) Are there any guides for non-programmers how to install the: Merge tag 'v4.9.26' into linux-4.9.x-unofficial_grsec https://github.com/minipli/linux-unofficial_grsec/commit/bb9fb983874810ca41= 67430508e06975af700824?diff=3Dunified UPDATE (at proofreading time: Matheus, thanks! You just PGP-signed the new tag [3], reader, skip 16 lines ) 2) How can I check the integrity? I can: $ git tag --verify v4.9.26 object d071951e08ee23cd725c2336d7ab4582bb93b0af type commit tag v4.9.26 tagger Greg Kroah-Hartman 1493825816 -0700 =2E.. $ but I can not verify Mathias Krause's commit. Pls. minipli, can you start PGP-signing... [cut more text, because you have :) ] (Continue reading, isues left here, this is the "little more below" I mentioned above.) The README.md is plain readme from the kernel, no mention of grsec at all... Where do I get some tips how to install? I do have the git sources, they verify fine... I will, hopefully, keep strong and keep trying, but I'm not so very sure I am able to craft an ebuild that would work and that would install with the local git linux-unofficial_grsec repo... I suspect the [2] below was because my kernel wasn't updated... and I do feel a little insecure at this time... --- [1] but I can understand the issues the developers have. I have some understanding of programming, and the politics with and around FOSS is easy to understand, given time and info. [2] Strange script planted with Bash https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/ and: Inconsistent behavior in my Gentoo OS instance https://lists.gt.net/gentoo/user/325985#325985 [3] $ git tag --verify v4.9.26-unofficial_grsec object bb9fb983874810ca4167430508e06975af700824 type commit tag v4.9.26-unofficial_grsec tagger Mathias Krause 1494181910 +0200 =20 This is the unofficial forward port of grsecurity-3.1-4.9.24-2017042523= 33.patch to v4.9.26 gpg: Signature made Sun 07 May 2017 20:32:02 CEST gpg: using RSA key 7585399992435BA4 gpg: Good signature from "Mathias Krause " [unk= nown] ... Primary key fingerprint: 7629 8B5B B60E DAD2 1B36 2E66 7585 3999 9243 = 5BA4 Regards! --=20 Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/PEyRe0kfc5EOFW36piEiE+68K4FAlkQtAQACgkQ6piEiE+6 8K6o7hAAnGYPRV5uMwif5br5CxODGKoCTmnelH+VVx7PkJGMGlvI7Tu+xeUefmWn hfrJe627PsVeejfzdEwfp/ExmnncyLdKH1GzjmUAgKx9IAmeh4rx8sU991gw5fpm 6y6k83oBouM91dfRekU3nRK/QVabnBWj/TlojzgloH/T/pC93o9gvCbgN1N2dMq2 EbiKsgskpmvGgcHmIvyez8TtwQ/XpPag4oW+VS42ZyvFhxejA1l1CHoJc6Eniwqf EJcDwgE6sYvQvLcQWwINUwDDMP2KGnjAtxUrZmSdXSs66pBt8SbePd7ax7hCZVzP HKWz377ut2qfphQX6yKMWCyb5opV8cCDeZdn9R11+OBeq83Ev7F8t32Vflz+gu2V oW+v8GkGYpvkgfQXwHeyKq+iUc4Q/KtZqRHsDjwVHvRw6U0wN/uOePe3+iOVDR5O q0LdTnwBhGYfGVxseLFu9aI1UbOjn/bGKUSQX/8+vkUyk29qXAL0TntBXxQLlnQC eiqNaNItgcAvFKEAtiipWCjna5Tan3TBdbclFgHw9Ci1HCR3X4d+KvdIoYKS9Uep JOfSZWw/bpC9srck+oCVeIGUXMqRhYD5ZoRv6BLP/zfiCeIvraZizjbmT5h5q9Q/ MSr9F30qdDn/VSsliBKgAR8Qld+Y+xlFWotuMM+eS1/Fs0MK04Y= =nFon -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW--