From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7559F139694 for ; Fri, 23 Jun 2017 18:48:08 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 27442234026; Fri, 23 Jun 2017 18:48:05 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EC217234022 for ; Fri, 23 Jun 2017 18:48:04 +0000 (UTC) Received: from [192.168.1.100] (c-98-218-46-55.hsd1.md.comcast.net [98.218.46.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: mjo) by smtp.gentoo.org (Postfix) with ESMTPSA id 05F63341A1A for ; Fri, 23 Jun 2017 18:48:03 +0000 (UTC) Subject: Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream To: gentoo-project@lists.gentoo.org References: <831a1b68-1083-ba04-faff-77267b7b06a1@gentoo.org> From: Michael Orlitzky Message-ID: Date: Fri, 23 Jun 2017 14:47:49 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org MIME-Version: 1.0 In-Reply-To: <831a1b68-1083-ba04-faff-77267b7b06a1@gentoo.org> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Archives-Salt: 2d38ac4c-f5b3-411b-ab0a-a535324778a3 X-Archives-Hash: b3f4c0636326986f1345226a97ea856f On 06/23/2017 01:49 PM, Toralf Förster wrote: > > I do wonder, if the PAX marking logic could detect a running > non-hardened kernel and therefore silently skip the step ? > If it did that, you'd have to "emerge -e @world" every time you booted into a hardened kernel after running a vanilla one. To add to the trouble, that "emerge" would probably fail due to things being killed by PaX.