From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5CF54139694 for ; Mon, 8 May 2017 20:52:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F314BE0DD6; Mon, 8 May 2017 20:52:19 +0000 (UTC) Received: from alt1.smtp7.plusvps.com (alt1.smtp7.plusvps.com [89.201.164.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B0913E0DD4 for ; Mon, 8 May 2017 20:52:19 +0000 (UTC) Received: from lin22.mojsite.com ([178.218.165.68]) by smtp7.plusvps.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from ) id 1d7pdd-000D1k-DE for gentoo-hardened@lists.gentoo.org; Mon, 08 May 2017 22:52:13 +0200 Received: from 93-142-102-179.adsl.net.t-com.hr ([93.142.102.179]:45844 helo=g0n.localdomain) by lin22.mojsite.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.88) (envelope-from ) id 1d7pdc-0049UA-Ib; Mon, 08 May 2017 22:52:12 +0200 Received: by g0n.localdomain (Postfix, from userid 1000) id 2C7937AE; Mon, 8 May 2017 22:49:12 +0200 (CEST) Date: Mon, 8 May 2017 22:49:12 +0200 From: Miroslav Rovis To: Mathias Krause Cc: gentoo-hardened@lists.gentoo.org, Luis Ressel Subject: Re: [gentoo-hardened] Technical repercussions of grsecurity removal Message-ID: <20170508204912.GA15294@g0n.xdwgrp> References: <20170501093843.GA927@gentoo.org> <20170501132854.98400aa781d29f13457dacd1@gentoo.org> <20170501135808.GA644@gentoo.org> <29deca69-e059-feaf-a312-b0ae53e9610a@riseup.net> <20170508180807.GA18570@g0n.xdwgrp> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.8.2 (2017-04-18) X-PlusHosting-MailScanner: Found to be clean, Found to be clean X-PlusHosting-MailScanner-SpamCheck: X-Spam-Status: No, No X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - lin22.mojsite.com X-AntiAbuse: Original Domain - lists.gentoo.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - croatiafidelis.hr X-Get-Message-Sender-Via: lin22.mojsite.com: authenticated_id: miro.rovis@croatiafidelis.hr X-Authenticated-Sender: lin22.mojsite.com: miro.rovis@croatiafidelis.hr X-Source: X-Source-Args: X-Source-Dir: X-PlusHosting-MailScanner-Information: Please contact the ISP for more information X-PlusHosting-MailScanner-ID: 1d7pdd-000D1k-DE X-PlusHosting-MailScanner-From: miro.rovis@croatiafidelis.hr X-Archives-Salt: 31a2bf33-dfd7-46d4-9e5c-fe4815b21385 X-Archives-Hash: 3383ee78ce10f098817fe567fe5e8603 --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable (thanks also to Luis Ressel for clarifications in the other email) (I'm only top posting because this reply of mine has no particularities to place it btwn any lines further below. Otherwise, I don't top post.) Mathias, I only wish to thank you for the quick reply and the tips below. And all my hopes are in you and your team/your contributors (I'm sure there will be great libre people congregating on linux-unofficial_grsec these days and weeks ahead, and longer). Make it as libre as possible! Keep fixing the kernel that Mr Linux wouldn't make secure... Yes, he and his comrades from big business caused this rift. I don't blame spender and PaX Team either.... And about ebuild making, I'll try my best and if I don't break apart in unsuccessful trying, I'll be back with an ebuild to discuss. Or if anybody from Gentoo hardened cares, they can teach us how to do the Gentoo details. (no more new text, only my signature in bottom) On 170508-22:07+0200, Mathias Krause wrote: > On 8 May 2017 at 20:08, Miroslav Rovis wro= te: > > [...] > > But I saw the other link that gives me some hope: > > > > Unofficial forward ports of the last publicly available grsecurity patch > > https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unof= ficial_grsec > > > > which I cloned into my machine. (And I have just spent hours trying to > > fix an ebuild in my custom overlay and install it in my machine, to no > > avail so far, and I'm at the end of my forbearance... A little more bel= ow.) > > > > And I wonder: > > > > 1) Are there any guides for non-programmers how to install the: > > > > Merge tag 'v4.9.26' into linux-4.9.x-unofficial_grsec > > https://github.com/minipli/linux-unofficial_grsec/commit/bb9fb983874810= ca4167430508e06975af700824?diff=3Dunified >=20 > See below. >=20 > > [...] > > > > 2) How can I check the integrity? I can: >=20 > You figured that one already ;) >=20 > > [...] > > The README.md is plain readme from the kernel, no mention of grsec at > > all... >=20 > ...as it used to be the case for the official grsec patch. So nothing > has changed here. ;) But I can understand your concerns. If you're > used to getting a patch and have to use a git repo now, it's not > intuitive on *how* to make use of it. But, again, see below... >=20 > > > > Where do I get some tips how to install? I do have the git sources, they > > verify fine... I will, hopefully, keep strong and keep trying, but I'm > > not so very sure I am able to craft an ebuild that would work and that > > would install with the local git linux-unofficial_grsec repo... >=20 > I'm not familiar with the gentoo ebuild based package system but I > guess patches integrate more smoothly than git repositories do. So > here's how you generate a patch for the unofficial port for v4.9.27 > (just pushed ;): >=20 > $ git remote update > [update log foo] > $ git diff v4.9.27..v4.9.27-unofficial_grsec > ~/unofficial_grsec-v4.9.= 27.diff >=20 > If you don't want to clone the git repo you can fetch the patch > directly via the github web interface: >=20 > $ curl https://github.com/minipli/linux-unofficial_grsec/compare/v4.9.2= 7...v4.9.27-unofficial_grsec.diff > > ~/unofficial_grsec-v4.9.27.diff >=20 > The pattern should be intuitive: just change "v4.9.27" for the kernel > version you want to get a patch for (v4.9.25 to v4.9.27 so far). >=20 > The generated patch can be applied on a vanilla Linux v4.9.27 as usual > to generate the unofficial grsec kernel. >=20 > I hope this helps! >=20 > Cheers, > Mathias Regards! --=20 Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE/PEyRe0kfc5EOFW36piEiE+68K4FAlkQ2cQACgkQ6piEiE+6 8K7NJw/+Pfpjl75YkRSfcjl4XdNtb4JqeHxKTLxk5jUwiQj4mxv9O6dOSoFCQc3C IeW3RSSL7ZqQKV8lNQxWnMdwpCcclXmCgi7TNEEWdNvzdHlUrXNlLbkH4ZWgkv3y g8v1pDjKD3LzDNHNa4I/2FgX1bVav3R4iDniAdOwCJ/9IxpztbNWp+knjW76QzXG mEn+kWEUxxoO6FSggi6ujcAxDiX06CAY4hX0eX6t7gskmmw+2PYobMbJz3ovE6Kf VBDk1ViWXMSwc3E5cDSr4aNuBKXyxvcPUeyXDDkUOmFbfrG6kg1tN2VyTzX3+46i X60y1+U7Av+nsBNenfslZ/+gk4VFrJofzf+8IOxIBHUYbgcsTkdb5tFOMg6OCcfF +Bhe5GDQM0Ni6L8p6AkxYci9LEL4l1Brdw1aclOmA6QmAEcUiw/T9zI1bX9QX0N+ IyX6liD/Ccd3fVJK1io40Bs3QQ8SBDQKVUWXHNei3xQrdT3wG2mHBX4APv3cbjdo ZoXGtTwEs+88lc+MSmOt+xG5CEBEcE1mN49JXtTYkX5bP1Xl9xfYjNtE0LP4pPIV dvAeePUf9EZsjllHg8hsC8KCBZftL6n4l40hXu6GEsXsDRsBk4451F/06F2/rlfx 7SZ82FRZUM9U9gUKIn9WaTBWIvgKRbaVo9GkqbFrEVRKyDDWK6Y= =RHeU -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE--