On 170502-10:28+0200, Daniel Cegiełka wrote: > https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project > > It closes the topic of our discussion. > And I read all the discussion in gentoo-hardened in regard.
First, I'm a user[1], and I'm trying to continue to keep safe and secure as I used to be with grsec/PaX. I figured out only yesterday about this almost two weeks old news, and I guess the then 10+ days old (slightly) unmaintained kernel 4.9.24-hardened (and there won't be any updates, correct?), may have contributed to my woes[2]: # ls -ABRgo /usr/portage/sys-kernel/hardened-sources/ ... -rw-r--r-- 1 47449 2016-12-17 02:21 ChangeLog ... -rw-r--r-- 1 1316 2017-04-22 18:18 hardened-sources-4.9.24.ebuild ... # And really since late in 2016 no more entries in the Changelog. Pls. note that I'm only stating the facts, not complaining. I really wish I learn myself and be able to contribute; acually I have occasinally contributed, marginally, to the hardened project, with testing. > worth reading: > > http://openwall.com/lists/kernel-hardening/2017/05/01/5 > > http://openwall.com/lists/kernel-hardening/2017/05/02/4 And these should not be missed: It looks like there will be no more public versions of PaX and Grsec http://openwall.com/lists/kernel-hardening/2017/05/04/20 ( Shawn's collection of links there are an eye-opener, esp. this one link which, to me, feels like sacrilege: https://mjg59.dreamwidth.org/39546.html about Karen Sandler, the executive director of the Software Freedom Conservancy, by sly means prevented to stand for LF board ) and: < same subject > http://openwall.com/lists/kernel-hardening/2017/05/02/14 ( where find what "is... unappealing." ) > this means: > > * KSPP means that keeping PaX for >4.9 will be difficult and painful, > as I pointed out previously > * NSA SELinux instead PAX MPROTECT? I hope this is a joke. It looks like one, at first sight, but there are half a dozen "NSA SELinux" instances to be found in the latest hardened-sources. # grep 'NSA SE' /usr/src/linux/security/selinux/Kconfig bool "NSA SELinux Support" ... # (where linux is a hardened-sources installation) If hardened would be down to SELinux, I wouldn't be hardening any more. > alternatives: RSBAC > ... But I saw the other link that gives me some hope: Unofficial forward ports of the last publicly available grsecurity patch https://github.com/minipli/linux-unofficial_grsec/tree/linux-4.9.x-unofficial_grsec which I cloned into my machine. (And I have just spent hours trying to fix an ebuild in my custom overlay and install it in my machine, to no avail so far, and I'm at the end of my forbearance... A little more below.) And I wonder: 1) Are there any guides for non-programmers how to install the: Merge tag 'v4.9.26' into linux-4.9.x-unofficial_grsec https://github.com/minipli/linux-unofficial_grsec/commit/bb9fb983874810ca4167430508e06975af700824?diff=unified UPDATE (at proofreading time: Matheus, thanks! You just PGP-signed the new tag [3], reader, skip 16 lines ) 2) How can I check the integrity? I can: $ git tag --verify v4.9.26 object d071951e08ee23cd725c2336d7ab4582bb93b0af type commit tag v4.9.26 tagger Greg Kroah-Hartman <gre...@linuxfoundation.org> 1493825816 -0700 ... $ but I can not verify Mathias Krause's commit. Pls. minipli, can you start PGP-signing... [cut more text, because you have :) ] (Continue reading, isues left here, this is the "little more below" I mentioned above.) The README.md is plain readme from the kernel, no mention of grsec at all... Where do I get some tips how to install? I do have the git sources, they verify fine... I will, hopefully, keep strong and keep trying, but I'm not so very sure I am able to craft an ebuild that would work and that would install with the local git linux-unofficial_grsec repo... I suspect the [2] below was because my kernel wasn't updated... and I do feel a little insecure at this time... --- [1] but I can understand the issues the developers have. I have some understanding of programming, and the politics with and around FOSS is easy to understand, given time and info. [2] Strange script planted with Bash https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/ and: Inconsistent behavior in my Gentoo OS instance https://lists.gt.net/gentoo/user/325985#325985 [3] $ git tag --verify v4.9.26-unofficial_grsec object bb9fb983874810ca4167430508e06975af700824 type commit tag v4.9.26-unofficial_grsec tagger Mathias Krause <mini...@googlemail.com> 1494181910 +0200 This is the unofficial forward port of grsecurity-3.1-4.9.24-201704252333.patch to v4.9.26 gpg: Signature made Sun 07 May 2017 20:32:02 CEST gpg: using RSA key 7585399992435BA4 gpg: Good signature from "Mathias Krause <mini...@googlemail.com>" [unknown] ... Primary key fingerprint: 7629 8B5B B60E DAD2 1B36 2E66 7585 3999 9243 5BA4 Regards! -- Miroslav Rovis Zagreb, Croatia https://www.CroatiaFidelis.hr
signature.asc
Description: Digital signature