public inbox for gentoo-hardened@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
@ 2017-06-23 16:28 Anthony G. Basile
  2017-06-23 17:01 ` Oleg Popov
                   ` (5 more replies)
  0 siblings, 6 replies; 12+ messages in thread
From: Anthony G. Basile @ 2017-06-23 16:28 UTC (permalink / raw
  To: Gentoo Development, Gentoo project list, gentoo-hardened

Hi everyone,

Since late April, grsecurity upstream has stop making their patches
available publicly.  Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.

Since the grsecurity patch formed the main core of our hardened-sources
kernel, their decision has serious repercussions for the Hardened Gentoo
project.  I will no longer be able to support hardened-sources and will
have to eventually mask and remove it from the tree.

Hardened Gentoo has two sides to it, kernel hardening (done via
hardened-sources) and toolchain/executable hardening.  The two are
interrelated but independent enough that toolchain hardening can
continue on its own.  The hardened kernel, however, provided PaX
protection for executables and this will be lost.  We did a lot of work
to properly maintain PaX markings in our package management system and
there was no part of Gentoo that wasn't touched by issues stemming from
PaX support.

I waited two months before saying anything because the reasons were more
of a political nature than some technical issue.  At this point, I think
its time to let the community know about the state of affairs with
hardened-sources.

I can no longer get into the #grsecurity/OFTC channel (nothing personal,
they kicked everyone), and so I have not spoken to spengler or pipacs.
I don't know if they will ever release grsecurity patches again.

My plan then is as follows.  I'll wait one more month and then send out
a news item and later mask hardened-sources for removal.  I don't
recommend we remove any of the machinery from Gentoo that deals with PaX
markings.

I welcome feedback.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
@ 2017-06-23 17:01 ` Oleg Popov
  2017-06-23 17:09 ` Javier Juan Martinez Cabezon
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 12+ messages in thread
From: Oleg Popov @ 2017-06-23 17:01 UTC (permalink / raw
  To: gentoo-hardened

On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows.  I'll wait one more month and then send 
> out a news item and later mask hardened-sources for removal.  I don't 
> recommend we remove any of the machinery from Gentoo that deals with 
> PaX markings.
> 
> I welcome feedback.

Is it possible to at least support 4.9 until its LTS term is over?



^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
  2017-06-23 17:01 ` Oleg Popov
@ 2017-06-23 17:09 ` Javier Juan Martinez Cabezon
  2017-07-24 16:46   ` Cor Legemaat
  2017-06-23 17:47 ` Kevin Chadwick
                   ` (3 subsequent siblings)
  5 siblings, 1 reply; 12+ messages in thread
From: Javier Juan Martinez Cabezon @ 2017-06-23 17:09 UTC (permalink / raw
  To: gentoo-hardened


Have you thought in use other alternative apart grsec as kernel side
solution?, PaX is PaX, its a great loss, but rsbac and selinux has their
w or x, almost all cpu today has NX bit and reduce the needings of
PageExec/SegmExec, and I think that exists some gcc plugins with PaX
alike functions.

rsbac has their git public and selinux is in vanilla. Maybe you could
consider to use rsbac git kernel as hardened-sources new kerneland
solution but I have not tested selinux under this kernel

Under rsbac pax userland is not needed, MPROTECT controls it and can be
switched individually in kernel land because it is something like a
request under rsbac. Not all functions of PaX, but good enough in my opinion

On 23/06/17 18:28, Anthony G. Basile wrote:
> Hi everyone,
> 
> Since late April, grsecurity upstream has stop making their patches
> available publicly.  Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
> 
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project.  I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
> 
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening.  The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own.  The hardened kernel, however, provided PaX
> protection for executables and this will be lost.  We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
> 
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue.  At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
> 
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
> 
> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
> 
> I welcome feedback.
> 



^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
  2017-06-23 17:01 ` Oleg Popov
  2017-06-23 17:09 ` Javier Juan Martinez Cabezon
@ 2017-06-23 17:47 ` Kevin Chadwick
  2017-06-23 20:46 ` [gentoo-hardened] Re: [gentoo-project] " Sergei Trofimovich
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 12+ messages in thread
From: Kevin Chadwick @ 2017-06-23 17:47 UTC (permalink / raw
  To: gentoo-hardened

On Fri, 23 Jun 2017 12:28:27 -0400


> My plan then is as follows.  I'll wait one more month and then send
> out a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with
> PaX markings.
> 
> I welcome feedback.

I won't mention the OS I love but tend to avoid linux almost completely
these days since the systemd invasion on binary distros but also because
modern Windows has more default kernel hardening features than upstream
Linux (binary packaged kernels). Hardened Gentoo is among the best. I am
sorry to hear this? I hope it will resolve itself more satisfactorily,
eventually.

Good luck and regards, Kc


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [gentoo-hardened] Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
                   ` (2 preceding siblings ...)
  2017-06-23 17:47 ` Kevin Chadwick
@ 2017-06-23 20:46 ` Sergei Trofimovich
  2017-06-24 10:59 ` [gentoo-hardened] " Francisco Blas Izquierdo Riera (klondike)
  2017-07-18 10:34 ` Alex Efros
  5 siblings, 0 replies; 12+ messages in thread
From: Sergei Trofimovich @ 2017-06-23 20:46 UTC (permalink / raw
  To: Anthony G. Basile; +Cc: gentoo-project, Gentoo Development, gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 373 bytes --]

On Fri, 23 Jun 2017 12:28:27 -0400
"Anthony G. Basile" <blueness@gentoo.org> wrote:

> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.

Thanks for the status update!

-- 

  Sergei

[-- Attachment #2: Цифровая подпись OpenPGP --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
                   ` (3 preceding siblings ...)
  2017-06-23 20:46 ` [gentoo-hardened] Re: [gentoo-project] " Sergei Trofimovich
@ 2017-06-24 10:59 ` Francisco Blas Izquierdo Riera (klondike)
  2017-07-18 10:34 ` Alex Efros
  5 siblings, 0 replies; 12+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2017-06-24 10:59 UTC (permalink / raw
  To: gentoo-hardened; +Cc: Mathias Krause


[-- Attachment #1.1: Type: text/plain, Size: 2494 bytes --]

El 23/06/17 a las 18:28, Anthony G. Basile escribió:
> Hi everyone,
>
> Since late April, grsecurity upstream has stop making their patches
> available publicly.  Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
>
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project.  I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
>
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening.  The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own.  The hardened kernel, however, provided PaX
> protection for executables and this will be lost.  We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
>
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue.  At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
>
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
>
> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
>
> I welcome feedback.
>
Hi!

I know that minipli has been working on keeping the last released grsec
patches up to date on the 4.9 LTS branch and was sharing his work on a
github repository.

I believe his work could be a good alternative for a few more years and
give us enough time to see how everything evolves.

Maybe the upstream people start taking things seriosuly and we can drop
the hardened-sources by then (not very optimistic about that though). Or
maybe spender and the PaX Team start releasing patches again (as the
situation looks now I also doubt it). Eitherway it will buy us time at
the expense of lack of new hardware compatibility.

Klondike



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 829 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
                   ` (4 preceding siblings ...)
  2017-06-24 10:59 ` [gentoo-hardened] " Francisco Blas Izquierdo Riera (klondike)
@ 2017-07-18 10:34 ` Alex Efros
  2017-07-18 14:37   ` R0b0t1
  5 siblings, 1 reply; 12+ messages in thread
From: Alex Efros @ 2017-07-18 10:34 UTC (permalink / raw
  To: gentoo-hardened

Hi!

On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.

Well, it's about a month now. I didn't replied earlier because others
already mentioned all good ideas and I was hoping these ideas will be
accepted… :(

But, just in case, I'm +1 for both ideas to keep 4.9 LTS support as long
as possible (and mark one of hardened-sources-4.9.x as stable) to give us
a couple of years to find another solution and/or develop a migration plan
from GrSecurity/PaX to RSBAC (or anything else which provide best
available security level for modern kernels) - anything better than just
"switch to gentoo-sources and enable SeLinux to feel real pain" will go.

Seriously, which options we actually have right now, if hardened-sources
will be masked on next week and removed from the tree on next month?

-- 
			WBR, Alex.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-07-18 10:34 ` Alex Efros
@ 2017-07-18 14:37   ` R0b0t1
  2017-07-18 14:39     ` R0b0t1
  0 siblings, 1 reply; 12+ messages in thread
From: R0b0t1 @ 2017-07-18 14:37 UTC (permalink / raw
  To: gentoo-hardened

On Tue, Jul 18, 2017 at 5:34 AM, Alex Efros <powerman@powerman.name> wrote:
> Hi!
>
> On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
>> My plan then is as follows.  I'll wait one more month and then send out
>> a news item and later mask hardened-sources for removal.
>
> Well, it's about a month now. I didn't replied earlier because others
> already mentioned all good ideas and I was hoping these ideas will be
> accepted… :(
>
> But, just in case, I'm +1 for both ideas to keep 4.9 LTS support as long
> as possible (and mark one of hardened-sources-4.9.x as stable) to give us
> a couple of years [...]
>

I agree, there are this solution seems popular among people using
other distributions who want to continue to use grsecurity.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-07-18 14:37   ` R0b0t1
@ 2017-07-18 14:39     ` R0b0t1
  0 siblings, 0 replies; 12+ messages in thread
From: R0b0t1 @ 2017-07-18 14:39 UTC (permalink / raw
  To: gentoo-hardened

On Tue, Jul 18, 2017 at 9:37 AM, R0b0t1 <r030t1@gmail.com> wrote:
> [...] there are this solution seems [...]

I even reread that a few times. My apologies.


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-06-23 17:09 ` Javier Juan Martinez Cabezon
@ 2017-07-24 16:46   ` Cor Legemaat
  2017-07-24 17:02     ` Javier Juan Martinez Cabezon
  2017-07-26  1:48     ` Jens Kasten
  0 siblings, 2 replies; 12+ messages in thread
From: Cor Legemaat @ 2017-07-24 16:46 UTC (permalink / raw
  To: gentoo-hardened

[-- Attachment #1: Type: text/plain, Size: 2964 bytes --]

On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
> Have you thought in use other alternative apart grsec as kernel side
> solution?, PaX is PaX, its a great loss, but rsbac and selinux has
> their
> w or x, almost all cpu today has NX bit and reduce the needings of
> PageExec/SegmExec, and I think that exists some gcc plugins with PaX
> alike functions.
> 
> rsbac has their git public and selinux is in vanilla. Maybe you could
> consider to use rsbac git kernel as hardened-sources new kerneland
> solution but I have not tested selinux under this kernel
> 
> Under rsbac pax userland is not needed, MPROTECT controls it and can
> be
> switched individually in kernel land because it is something like a
> request under rsbac. Not all functions of PaX, but good enough in my
> opinion
> 
> On 23/06/17 18:28, Anthony G. Basile wrote:
> > 
> > Hi everyone,
> > 
> > Since late April, grsecurity upstream has stop making their patches
> > available publicly.  Without going into details, the reason for
> > their
> > decision revolves around disputes about how their patches were
> > being
> > (ab)used.
> > 
> > Since the grsecurity patch formed the main core of our hardened-
> > sources
> > kernel, their decision has serious repercussions for the Hardened
> > Gentoo
> > project.  I will no longer be able to support hardened-sources and
> > will
> > have to eventually mask and remove it from the tree.
> > 
> > Hardened Gentoo has two sides to it, kernel hardening (done via
> > hardened-sources) and toolchain/executable hardening.  The two are
> > interrelated but independent enough that toolchain hardening can
> > continue on its own.  The hardened kernel, however, provided PaX
> > protection for executables and this will be lost.  We did a lot of
> > work
> > to properly maintain PaX markings in our package management system
> > and
> > there was no part of Gentoo that wasn't touched by issues stemming
> > from
> > PaX support.
> > 
> > I waited two months before saying anything because the reasons were
> > more
> > of a political nature than some technical issue.  At this point, I
> > think
> > its time to let the community know about the state of affairs with
> > hardened-sources.
> > 
> > I can no longer get into the #grsecurity/OFTC channel (nothing
> > personal,
> > they kicked everyone), and so I have not spoken to spengler or
> > pipacs.
> > I don't know if they will ever release grsecurity patches again.
> > 
> > My plan then is as follows.  I'll wait one more month and then send
> > out
> > a news item and later mask hardened-sources for removal.  I don't
> > recommend we remove any of the machinery from Gentoo that deals
> > with PaX
> > markings.
> > 
> > I welcome feedback.
> > 
> 
> 

How do I play with RSBAC, there is nice wiki pages etc but al the
ebuilds are removed from portage?

Regards:
Cor

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-07-24 16:46   ` Cor Legemaat
@ 2017-07-24 17:02     ` Javier Juan Martinez Cabezon
  2017-07-26  1:48     ` Jens Kasten
  1 sibling, 0 replies; 12+ messages in thread
From: Javier Juan Martinez Cabezon @ 2017-07-24 17:02 UTC (permalink / raw
  To: gentoo-hardened


>>
> 
> How do I play with RSBAC, there is nice wiki pages etc but al the
> ebuilds are removed from portage?
> 
> Regards:
> Cor
> 

You can download rsbac sources from their git

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-4.9.y.git;a=summary

You will need rsbac-admin tools too

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=rsbac-admin.git;a=summary

After that a check to its handbook

https://www.rsbac.org/documentation/rsbac_handbook

and make use of learning mode of CAP AUTH and RC modules


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream
  2017-07-24 16:46   ` Cor Legemaat
  2017-07-24 17:02     ` Javier Juan Martinez Cabezon
@ 2017-07-26  1:48     ` Jens Kasten
  1 sibling, 0 replies; 12+ messages in thread
From: Jens Kasten @ 2017-07-26  1:48 UTC (permalink / raw
  To: gentoo-hardened

Am 24.07.2017 18:46, schrieb Cor Legemaat:
> On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
>> Have you thought in use other alternative apart grsec as kernel side
>> solution?, PaX is PaX, its a great loss, but rsbac and selinux has
>> their
>> w or x, almost all cpu today has NX bit and reduce the needings of
>> PageExec/SegmExec, and I think that exists some gcc plugins with PaX
>> alike functions.
>> 
>> rsbac has their git public and selinux is in vanilla. Maybe you could
>> consider to use rsbac git kernel as hardened-sources new kerneland
>> solution but I have not tested selinux under this kernel
>> 
>> Under rsbac pax userland is not needed, MPROTECT controls it and can
>> be
>> switched individually in kernel land because it is something like a
>> request under rsbac. Not all functions of PaX, but good enough in my
>> opinion
>> 
>> On 23/06/17 18:28, Anthony G. Basile wrote:
>> >
>> > Hi everyone,
>> >
>> > Since late April, grsecurity upstream has stop making their patches
>> > available publicly.  Without going into details, the reason for
>> > their
>> > decision revolves around disputes about how their patches were
>> > being
>> > (ab)used.
>> >
>> > Since the grsecurity patch formed the main core of our hardened-
>> > sources
>> > kernel, their decision has serious repercussions for the Hardened
>> > Gentoo
>> > project.  I will no longer be able to support hardened-sources and
>> > will
>> > have to eventually mask and remove it from the tree.
>> >
>> > Hardened Gentoo has two sides to it, kernel hardening (done via
>> > hardened-sources) and toolchain/executable hardening.  The two are
>> > interrelated but independent enough that toolchain hardening can
>> > continue on its own.  The hardened kernel, however, provided PaX
>> > protection for executables and this will be lost.  We did a lot of
>> > work
>> > to properly maintain PaX markings in our package management system
>> > and
>> > there was no part of Gentoo that wasn't touched by issues stemming
>> > from
>> > PaX support.
>> >
>> > I waited two months before saying anything because the reasons were
>> > more
>> > of a political nature than some technical issue.  At this point, I
>> > think
>> > its time to let the community know about the state of affairs with
>> > hardened-sources.
>> >
>> > I can no longer get into the #grsecurity/OFTC channel (nothing
>> > personal,
>> > they kicked everyone), and so I have not spoken to spengler or
>> > pipacs.
>> > I don't know if they will ever release grsecurity patches again.
>> >
>> > My plan then is as follows.  I'll wait one more month and then send
>> > out
>> > a news item and later mask hardened-sources for removal.  I don't
>> > recommend we remove any of the machinery from Gentoo that deals
>> > with PaX
>> > markings.
>> >
>> > I welcome feedback.
>> >
>> 
>> 
> 
> How do I play with RSBAC, there is nice wiki pages etc but al the
> ebuilds are removed from portage?
> 
> Regards:
> Cor

Hi,

https://bitbucket.org/igraltist/kiste

this is my private overlay but there is a rsbac-admin ebuild

Jens


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2017-07-26  1:51 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-23 16:28 [gentoo-hardened] The status of grsecurity upstream and hardened-sources downstream Anthony G. Basile
2017-06-23 17:01 ` Oleg Popov
2017-06-23 17:09 ` Javier Juan Martinez Cabezon
2017-07-24 16:46   ` Cor Legemaat
2017-07-24 17:02     ` Javier Juan Martinez Cabezon
2017-07-26  1:48     ` Jens Kasten
2017-06-23 17:47 ` Kevin Chadwick
2017-06-23 20:46 ` [gentoo-hardened] Re: [gentoo-project] " Sergei Trofimovich
2017-06-24 10:59 ` [gentoo-hardened] " Francisco Blas Izquierdo Riera (klondike)
2017-07-18 10:34 ` Alex Efros
2017-07-18 14:37   ` R0b0t1
2017-07-18 14:39     ` R0b0t1

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox