Mailing List Archive

The status of grsecurity upstream and hardened-sources downstream
Hi everyone,

Since late April, grsecurity upstream has stop making their patches
available publicly. Without going into details, the reason for their
decision revolves around disputes about how their patches were being
(ab)used.

Since the grsecurity patch formed the main core of our hardened-sources
kernel, their decision has serious repercussions for the Hardened Gentoo
project. I will no longer be able to support hardened-sources and will
have to eventually mask and remove it from the tree.

Hardened Gentoo has two sides to it, kernel hardening (done via
hardened-sources) and toolchain/executable hardening. The two are
interrelated but independent enough that toolchain hardening can
continue on its own. The hardened kernel, however, provided PaX
protection for executables and this will be lost. We did a lot of work
to properly maintain PaX markings in our package management system and
there was no part of Gentoo that wasn't touched by issues stemming from
PaX support.

I waited two months before saying anything because the reasons were more
of a political nature than some technical issue. At this point, I think
its time to let the community know about the state of affairs with
hardened-sources.

I can no longer get into the #grsecurity/OFTC channel (nothing personal,
they kicked everyone), and so I have not spoken to spengler or pipacs.
I don't know if they will ever release grsecurity patches again.

My plan then is as follows. I'll wait one more month and then send out
a news item and later mask hardened-sources for removal. I don't
recommend we remove any of the machinery from Gentoo that deals with PaX
markings.

I welcome feedback.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows. I'll wait one more month and then send
> out a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with
> PaX markings.
>
> I welcome feedback.

Is it possible to at least support 4.9 until its LTS term is over?
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
Have you thought in use other alternative apart grsec as kernel side
solution?, PaX is PaX, its a great loss, but rsbac and selinux has their
w or x, almost all cpu today has NX bit and reduce the needings of
PageExec/SegmExec, and I think that exists some gcc plugins with PaX
alike functions.

rsbac has their git public and selinux is in vanilla. Maybe you could
consider to use rsbac git kernel as hardened-sources new kerneland
solution but I have not tested selinux under this kernel

Under rsbac pax userland is not needed, MPROTECT controls it and can be
switched individually in kernel land because it is something like a
request under rsbac. Not all functions of PaX, but good enough in my opinion

On 23/06/17 18:28, Anthony G. Basile wrote:
> Hi everyone,
>
> Since late April, grsecurity upstream has stop making their patches
> available publicly. Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
>
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project. I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
>
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening. The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own. The hardened kernel, however, provided PaX
> protection for executables and this will be lost. We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
>
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue. At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
>
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
>
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
>
> I welcome feedback.
>
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
On Fri, 23 Jun 2017 12:28:27 -0400


> My plan then is as follows. I'll wait one more month and then send
> out a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with
> PaX markings.
>
> I welcome feedback.

I won't mention the OS I love but tend to avoid linux almost completely
these days since the systemd invasion on binary distros but also because
modern Windows has more default kernel hardening features than upstream
Linux (binary packaged kernels). Hardened Gentoo is among the best. I am
sorry to hear this? I hope it will resolve itself more satisfactorily,
eventually.

Good luck and regards, Kc
Re: [gentoo-project] The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
On Fri, 23 Jun 2017 12:28:27 -0400
"Anthony G. Basile" <blueness@gentoo.org> wrote:

> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.

Thanks for the status update!

--

Sergei
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
El 23/06/17 a las 18:28, Anthony G. Basile escribió:
> Hi everyone,
>
> Since late April, grsecurity upstream has stop making their patches
> available publicly. Without going into details, the reason for their
> decision revolves around disputes about how their patches were being
> (ab)used.
>
> Since the grsecurity patch formed the main core of our hardened-sources
> kernel, their decision has serious repercussions for the Hardened Gentoo
> project. I will no longer be able to support hardened-sources and will
> have to eventually mask and remove it from the tree.
>
> Hardened Gentoo has two sides to it, kernel hardening (done via
> hardened-sources) and toolchain/executable hardening. The two are
> interrelated but independent enough that toolchain hardening can
> continue on its own. The hardened kernel, however, provided PaX
> protection for executables and this will be lost. We did a lot of work
> to properly maintain PaX markings in our package management system and
> there was no part of Gentoo that wasn't touched by issues stemming from
> PaX support.
>
> I waited two months before saying anything because the reasons were more
> of a political nature than some technical issue. At this point, I think
> its time to let the community know about the state of affairs with
> hardened-sources.
>
> I can no longer get into the #grsecurity/OFTC channel (nothing personal,
> they kicked everyone), and so I have not spoken to spengler or pipacs.
> I don't know if they will ever release grsecurity patches again.
>
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal. I don't
> recommend we remove any of the machinery from Gentoo that deals with PaX
> markings.
>
> I welcome feedback.
>
Hi!

I know that minipli has been working on keeping the last released grsec
patches up to date on the 4.9 LTS branch and was sharing his work on a
github repository.

I believe his work could be a good alternative for a few more years and
give us enough time to see how everything evolves.

Maybe the upstream people start taking things seriosuly and we can drop
the hardened-sources by then (not very optimistic about that though). Or
maybe spender and the PaX Team start releasing patches again (as the
situation looks now I also doubt it). Eitherway it will buy us time at
the expense of lack of new hardware compatibility.

Klondike
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
Hi!

On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
> My plan then is as follows. I'll wait one more month and then send out
> a news item and later mask hardened-sources for removal.

Well, it's about a month now. I didn't replied earlier because others
already mentioned all good ideas and I was hoping these ideas will be
accepted… :(

But, just in case, I'm +1 for both ideas to keep 4.9 LTS support as long
as possible (and mark one of hardened-sources-4.9.x as stable) to give us
a couple of years to find another solution and/or develop a migration plan
from GrSecurity/PaX to RSBAC (or anything else which provide best
available security level for modern kernels) - anything better than just
"switch to gentoo-sources and enable SeLinux to feel real pain" will go.

Seriously, which options we actually have right now, if hardened-sources
will be masked on next week and removed from the tree on next month?

--
WBR, Alex.
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
On Tue, Jul 18, 2017 at 5:34 AM, Alex Efros <powerman@powerman.name> wrote:
> Hi!
>
> On Fri, Jun 23, 2017 at 12:28:27PM -0400, Anthony G. Basile wrote:
>> My plan then is as follows. I'll wait one more month and then send out
>> a news item and later mask hardened-sources for removal.
>
> Well, it's about a month now. I didn't replied earlier because others
> already mentioned all good ideas and I was hoping these ideas will be
> accepted… :(
>
> But, just in case, I'm +1 for both ideas to keep 4.9 LTS support as long
> as possible (and mark one of hardened-sources-4.9.x as stable) to give us
> a couple of years [...]
>

I agree, there are this solution seems popular among people using
other distributions who want to continue to use grsecurity.
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
On Tue, Jul 18, 2017 at 9:37 AM, R0b0t1 <r030t1@gmail.com> wrote:
> [...] there are this solution seems [...]

I even reread that a few times. My apologies.
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
> Have you thought in use other alternative apart grsec as kernel side
> solution?, PaX is PaX, its a great loss, but rsbac and selinux has
> their
> w or x, almost all cpu today has NX bit and reduce the needings of
> PageExec/SegmExec, and I think that exists some gcc plugins with PaX
> alike functions.
>
> rsbac has their git public and selinux is in vanilla. Maybe you could
> consider to use rsbac git kernel as hardened-sources new kerneland
> solution but I have not tested selinux under this kernel
>
> Under rsbac pax userland is not needed, MPROTECT controls it and can
> be
> switched individually in kernel land because it is something like a
> request under rsbac. Not all functions of PaX, but good enough in my
> opinion
>
> On 23/06/17 18:28, Anthony G. Basile wrote:
> >
> > Hi everyone,
> >
> > Since late April, grsecurity upstream has stop making their patches
> > available publicly.  Without going into details, the reason for
> > their
> > decision revolves around disputes about how their patches were
> > being
> > (ab)used.
> >
> > Since the grsecurity patch formed the main core of our hardened-
> > sources
> > kernel, their decision has serious repercussions for the Hardened
> > Gentoo
> > project.  I will no longer be able to support hardened-sources and
> > will
> > have to eventually mask and remove it from the tree.
> >
> > Hardened Gentoo has two sides to it, kernel hardening (done via
> > hardened-sources) and toolchain/executable hardening.  The two are
> > interrelated but independent enough that toolchain hardening can
> > continue on its own.  The hardened kernel, however, provided PaX
> > protection for executables and this will be lost.  We did a lot of
> > work
> > to properly maintain PaX markings in our package management system
> > and
> > there was no part of Gentoo that wasn't touched by issues stemming
> > from
> > PaX support.
> >
> > I waited two months before saying anything because the reasons were
> > more
> > of a political nature than some technical issue.  At this point, I
> > think
> > its time to let the community know about the state of affairs with
> > hardened-sources.
> >
> > I can no longer get into the #grsecurity/OFTC channel (nothing
> > personal,
> > they kicked everyone), and so I have not spoken to spengler or
> > pipacs.
> > I don't know if they will ever release grsecurity patches again.
> >
> > My plan then is as follows.  I'll wait one more month and then send
> > out
> > a news item and later mask hardened-sources for removal.  I don't
> > recommend we remove any of the machinery from Gentoo that deals
> > with PaX
> > markings.
> >
> > I welcome feedback.
> >
>
>

How do I play with RSBAC, there is nice wiki pages etc but al the
ebuilds are removed from portage?

Regards:
Cor
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
>>
>
> How do I play with RSBAC, there is nice wiki pages etc but al the
> ebuilds are removed from portage?
>
> Regards:
> Cor
>

You can download rsbac sources from their git

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=linux-4.9.y.git;a=summary

You will need rsbac-admin tools too

https://git.rsbac.org/cgi-bin/gitweb.cgi?p=rsbac-admin.git;a=summary

After that a check to its handbook

https://www.rsbac.org/documentation/rsbac_handbook

and make use of learning mode of CAP AUTH and RC modules
Re: The status of grsecurity upstream and hardened-sources downstream [ In reply to ]
Am 24.07.2017 18:46, schrieb Cor Legemaat:
> On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote:
>> Have you thought in use other alternative apart grsec as kernel side
>> solution?, PaX is PaX, its a great loss, but rsbac and selinux has
>> their
>> w or x, almost all cpu today has NX bit and reduce the needings of
>> PageExec/SegmExec, and I think that exists some gcc plugins with PaX
>> alike functions.
>>
>> rsbac has their git public and selinux is in vanilla. Maybe you could
>> consider to use rsbac git kernel as hardened-sources new kerneland
>> solution but I have not tested selinux under this kernel
>>
>> Under rsbac pax userland is not needed, MPROTECT controls it and can
>> be
>> switched individually in kernel land because it is something like a
>> request under rsbac. Not all functions of PaX, but good enough in my
>> opinion
>>
>> On 23/06/17 18:28, Anthony G. Basile wrote:
>> >
>> > Hi everyone,
>> >
>> > Since late April, grsecurity upstream has stop making their patches
>> > available publicly.  Without going into details, the reason for
>> > their
>> > decision revolves around disputes about how their patches were
>> > being
>> > (ab)used.
>> >
>> > Since the grsecurity patch formed the main core of our hardened-
>> > sources
>> > kernel, their decision has serious repercussions for the Hardened
>> > Gentoo
>> > project.  I will no longer be able to support hardened-sources and
>> > will
>> > have to eventually mask and remove it from the tree.
>> >
>> > Hardened Gentoo has two sides to it, kernel hardening (done via
>> > hardened-sources) and toolchain/executable hardening.  The two are
>> > interrelated but independent enough that toolchain hardening can
>> > continue on its own.  The hardened kernel, however, provided PaX
>> > protection for executables and this will be lost.  We did a lot of
>> > work
>> > to properly maintain PaX markings in our package management system
>> > and
>> > there was no part of Gentoo that wasn't touched by issues stemming
>> > from
>> > PaX support.
>> >
>> > I waited two months before saying anything because the reasons were
>> > more
>> > of a political nature than some technical issue.  At this point, I
>> > think
>> > its time to let the community know about the state of affairs with
>> > hardened-sources.
>> >
>> > I can no longer get into the #grsecurity/OFTC channel (nothing
>> > personal,
>> > they kicked everyone), and so I have not spoken to spengler or
>> > pipacs.
>> > I don't know if they will ever release grsecurity patches again.
>> >
>> > My plan then is as follows.  I'll wait one more month and then send
>> > out
>> > a news item and later mask hardened-sources for removal.  I don't
>> > recommend we remove any of the machinery from Gentoo that deals
>> > with PaX
>> > markings.
>> >
>> > I welcome feedback.
>> >
>>
>>
>
> How do I play with RSBAC, there is nice wiki pages etc but al the
> ebuilds are removed from portage?
>
> Regards:
> Cor

Hi,

https://bitbucket.org/igraltist/kiste

this is my private overlay but there is a rsbac-admin ebuild

Jens