Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Mon, 26 Jun 2017 16:30:41 +0900 Alice Ferrazzi wrote: > Linus Torvald on grsecurity: > https://www.spinics.net/lists/kernel/msg2540934.html Linus maybe responsible for Linux, but also things like Dirty Cow. Not sure how I feel about him and security, given that neglect. https://dirtycow.ninja/ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 -- William L. Thomson Jr. pgpQrERxVX_tW.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On 06/26/2017 09:15, Luis Ressel wrote: > On Sun, 25 Jun 2017 23:47:48 -0400 > Joshua Kinard wrote: > >> Safe for now to just switch to gentoo-sources while retaining hardened >> toolchain? Or would there be a few additional steps needed? I only >> use PaX for mprotect() and the ALSR capabilities, though I suspect >> those might be in the standard sauce by now. As such, I haven't had >> to deal with userland issues and PaX too much over the years. > > A full rebuild shouldn't be neccessary after a switch to gentoo-sources > or vanilla-sources. At least, I can't think of any reason why it would, > and I haven't encountered any problems after switching on my own hosts. > > Just keep in mind that vanilla-sources doesn't support the PaX xattrs > properly (AFAIR), so if you ever want to switch *back* from vanilla to > hardened, some pax markings will be missing. This shouldn't be an issue > for gentoo-sources, though. > > Cheers, > Luis Ressel > The machine needs a full rebuild just to "freshen" it up. Current install is going on 6-7+ years, at least three different motherboard/CPU cycles, and the SATA drives are pushing 8+ years old at this point in that machine. The same drives were previously in my desktop machine between ~2006-2008, so they've had a *great* run for spinning rust. I've got new'ish replacement drives and a new drive bay recently arrived, so the grsecurity mess was the straw that broke the proverbial camel's back. Just a matter of getting the needed downtime to move data off, rebuild/reinstall everything, move stuff back, and check for broken bits. Until then, I wasn't sure if switching to gentoo-sources would have any side-effects with the hardened userland to get to a newer kernel. -- Joshua Kinard Gentoo/MIPS ku...@gentoo.org 6144R/F5C6C943 2015-04-27 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Sun, 25 Jun 2017 23:47:48 -0400 Joshua Kinard wrote: > Safe for now to just switch to gentoo-sources while retaining hardened > toolchain? Or would there be a few additional steps needed? I only > use PaX for mprotect() and the ALSR capabilities, though I suspect > those might be in the standard sauce by now. As such, I haven't had > to deal with userland issues and PaX too much over the years. A full rebuild shouldn't be neccessary after a switch to gentoo-sources or vanilla-sources. At least, I can't think of any reason why it would, and I haven't encountered any problems after switching on my own hosts. Just keep in mind that vanilla-sources doesn't support the PaX xattrs properly (AFAIR), so if you ever want to switch *back* from vanilla to hardened, some pax markings will be missing. This shouldn't be an issue for gentoo-sources, though. Cheers, Luis Ressel pgpNbGvSbzkd0.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
On Mon, Jun 26, 2017 at 9:30 AM, Alice Ferrazzi wrote: > > Linus Torvald on grsecurity: > https://www.spinics.net/lists/kernel/msg2540934.html Spender responds: http://www.openwall.com/lists/oss-security/2017/06/24/1 Popcorn worthy thread.
Re: [gentoo-dev] The status of grsecurity upstream and hardened-sources downstream
Linus Torvald on grsecurity: https://www.spinics.net/lists/kernel/msg2540934.html -- Thanks, Alice Ferrazzi Gentoo Kernel Project Leader Mail: Alice Ferrazzi PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A