[gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[Anthony G. Basile]

Hi everyone,

Since late April, grsecurity upstream has stop making their patches
available publicly.  Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.

Since the grsecurity patch formed the main core of our hardened-sources
kernel, their decision has serious repercussions for the Hardened Gentoo
project.  I will no longer be able to support hardened-sources and will
have to eventually mask and remove it from the tree.

Hardened Gentoo has two sides to it, kernel hardening (done via
hardened-sources) and toolchain/executable hardening.  The two are
interrelated but independent enough that toolchain hardening can
continue on its own.  The hardened kernel, however, provided PaX
protection for executables and this will be lost.  We did a lot of work
to properly maintain PaX markings in our package management system and
there was no part of Gentoo that wasn't touched by issues stemming from
PaX support.

I waited two months before saying anything because the reasons were more
of a political nature than some technical issue.  At this point, I think
its time to let the community know about the state of affairs with
hardened-sources.

I can no longer get into the #grsecurity/OFTC channel (nothing personal,
they kicked everyone), and so I have not spoken to spengler or pipacs.
I don't know if they will ever release grsecurity patches again.

My plan then is as follows.  I'll wait one more month and then send out
a news item and later mask hardened-sources for removal.  I don't
recommend we remove any of the machinery from Gentoo that deals with PaX
markings.

I welcome feedback.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[William L. Thomson Jr.]

[-- Attachment #1: Type: text/plain, Size: 901 bytes --]

On Fri, 23 Jun 2017 12:28:27 -0400
"Anthony G. Basile" <blueness@gentoo.org> wrote:
>
> I waited two months before saying anything because the reasons were
> more of a political nature than some technical issue.  At this point,
> I think its time to let the community know about the state of affairs
> with hardened-sources.

Political is not really the correct terminology, more breach of
trademark. This was a business decision, I do not blame them!
https://grsecurity.net/announce.php
https://www.theregister.co.uk/2017/04/26/grsecurity_linux_kernel_freeloaders/

They are still available just not for free, for $200
https://grsecurity.net/purchase.php

Thanks WindRiver/Intel....
https://www.windriver.com/products/linux/security/
https://en.wikipedia.org/wiki/Wind_River_Systems
https://en.wikipedia.org/wiki/Wind_River_Systems#Wind_River_Linux

-- 
William L. Thomson Jr.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[Toralf Förster]

[-- Attachment #1.1: Type: text/plain, Size: 708 bytes --]

On 06/23/2017 06:28 PM, Anthony G. Basile wrote:
>  I don't recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.

I'm still using the hardened profile both at my desktop and my server -
now together with latest stable vanilla-kernel by directly following the
stable kernel git
(echo "sys-kernel/vanilla-sources-4.10.13" >>
/etc/portage/profile/package.provided).
I realized (at the tinderbox images as well), that PAX-marking error
messages do occur, when I didn't add '-paxkernel' to my USE flags.

I do wonder, if the PAX marking logic could detect a running
non-hardened kernel and therefore silently skip the step ?

-- 
Toralf
PGP 23217DA7 9B888F45



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[NP-Hardass]

[-- Attachment #1.1: Type: text/plain, Size: 3114 bytes --]

On 06/23/2017 12:28 PM, Anthony G. Basile wrote:
> Hi everyone,
> 
> Since late April, grsecurity upstream has stop making their patches
> available publicly.  Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
> 
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project.  I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
> 
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening.  The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own.  The hardened kernel, however, provided PaX
> protection for executables and this will be lost.  We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
> 
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue.  At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
> 
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
> 
> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
> 
> I welcome feedback.
> 

Thoughts on using this [1] unofficial fork?  At the moment, looks like
it is up to date with the 4.9.x branch (ported up to 4.9.33, last
official release is 4.9.24).  It should be noted, however, that the
maintainer has stated that the intention is forward porting and
bug-fixing, not new feature development.  Is it worth contacting the
maintainer to find out whether the intention is to support other
branches in the future?

Obviously using an unofficial fork should come with a big warning, but I
think it is worth considering keeping an option available to those that
want it.

There may be other forks but that's the only one I've come across since
upstream stopped publishing publicly.

As a personal aside, I think our support of grsec in the past has been a
major asset for the distro, and I'd prefer to see us maintain that asset
via an unofficial port, if possible.

On a slightly more off topic note, I must say, from my reading of
changelogs, bug reports, and forum posts, I think it is a shame that
we've been cut off with no real special consideration, given how much it
appears that Gentoo was involved in the feedback and improvement process
for grsec.

-- 
NP-Hardass

[1] https://github.com/minipli/linux-unofficial_grsec/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[Mike Gilbert]

On Fri, Jun 23, 2017 at 1:49 PM, Toralf Förster <toralf@gentoo.org> wrote:
> On 06/23/2017 06:28 PM, Anthony G. Basile wrote:
>>  I don't recommend we remove any of the machinery from Gentoo that deals with PaX
>> markings.
>
> I'm still using the hardened profile both at my desktop and my server -
> now together with latest stable vanilla-kernel by directly following the
> stable kernel git
> (echo "sys-kernel/vanilla-sources-4.10.13" >>
> /etc/portage/profile/package.provided).
> I realized (at the tinderbox images as well), that PAX-marking error
> messages do occur, when I didn't add '-paxkernel' to my USE flags.

The errors probably stem from lack of xattr support on tmpfs. Both
gentoo-sources and hardened-sources include a patch to enable this
(1500_XATTR_USER_PREFIX.patch).

You can either switch to gentoo-sources, or set PAX_MARKINGS="none" in
make.conf.

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[Michael Orlitzky]

On 06/23/2017 01:49 PM, Toralf Förster wrote:
> 
> I do wonder, if the PAX marking logic could detect a running
> non-hardened kernel and therefore silently skip the step ?
> 

If it did that, you'd have to "emerge -e @world" every time you booted
into a hardened kernel after running a vanilla one. To add to the
trouble, that "emerge" would probably fail due to things being killed by
PaX.

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[Alice Ferrazzi]

On Sat, Jun 24, 2017 at 1:28 AM, Anthony G. Basile <blueness@gentoo.org> wrote:
>
> Hi everyone,
>
> Since late April, grsecurity upstream has stop making their patches
> available publicly.  Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
>
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project.  I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
>
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening.  The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own.  The hardened kernel, however, provided PaX
> protection for executables and this will be lost.  We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
>
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue.  At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
>
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
>
> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
>
> I welcome feedback.
>

As we already contribute to grsec in the past,
would be sad to see hardened-sources go away.
What about the possibility of Gentoo forking PaX ?

-- 
Thanks,
Alice Ferrazzi

Gentoo Kernel Project Leader
Mail: Alice Ferrazzi <alicef@gentoo.org>
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A

Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream

[Sergei Trofimovich]

[-- Attachment #1: Type: text/plain, Size: 373 bytes --]

On Fri, 23 Jun 2017 12:28:27 -0400
"Anthony G. Basile" <blueness@gentoo.org> wrote:

> My plan then is as follows.  I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.  I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.

Thanks for the status update!

-- 

  Sergei

[-- Attachment #2: Цифровая подпись OpenPGP --]
[-- Type: application/pgp-signature, Size: 195 bytes --]