Mailing List Archive

El 15/08/17 a las 18:08, Ulrich Mueller escribi?:
>>>>>> On Tue, 15 Aug 2017, Francisco Blas Izquierdo Riera (klondike) wrote:
>> Updated the news item following comments from dilfridge, mrueg and
>> floppym. Also made it display to users of hardened profiles.
> Some very minor comments:
>
>> Author: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org>
> Format of the line is "Real Name <email@address>", so I'd suggest to
> drop the nick in parentheses, especially since it is there in the
> e-mail address anyway.
>
>> Because of that we will be masking the hardened-sources on the 27th of
>> August and will proceed to remove then from the tree by the end of
>> September. [...]
> s/then/them/
>
>> As an alternative, for users happy keeping themselves on the stable
>> 4.9 branch of the kernel minipli, another Grsec user, is forward
>> porting the patches on [3].
> I had difficulties parsing this sentence. Insert a comma after
> "kernel"? Also there is spurious whitespace before "stable".
>
> Ulrich

Thanks for your input, I have addressed your comments on the attached
news item.

I have also added a note regarding the other PaX related packages as
these won't stil be removed.


Klondike

El 16/08/17 a las 09:40, Marek Szuba escribió:
> Two tiny bits of formal nitpicking from my side:
> - it's "grsecurity" (not a typo, they do use a lowercase g except when
> the name appears at the beginning of a sentence), not "grsec";
> - the patches were not *distributed by* grsecurity, they *are*
> grsecurity. The vendor's name is Open Source Security, Inc.

Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.

On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
> El 16/08/17 a las 09:40, Marek Szuba escribió:
>> Two tiny bits of formal nitpicking from my side:
>> - it's "grsecurity" (not a typo, they do use a lowercase g except when
>> the name appears at the beginning of a sentence), not "grsec";
>> - the patches were not *distributed by* grsecurity, they *are*
>> grsecurity. The vendor's name is Open Source Security, Inc.
> Nowadays it is, but this hasn't always been the case. You'll notice the
> presence of a /dev/grsec and you'll also find grsec referenced accross
> some old patches. Anyways I changed it.
>
> The same applies to Open Source Security, Inc. the company was founded
> on 2008 but grsecurity has been around for much longer. That's why I
> prefer to refer to Brad Spengler and The PaX team here as they are still
> the real upstream behind Open Source Security, Inc.
>
>
Would anyone like to outline a simple process to migrate from
hardened-sources + hardened tool-chain to gentoo-sources? Presumably if
I just drag my config file across it will cause all sorts of problems?
Do I need to work backwards through the hardening guide, for example?

Thanks

El 16/08/17 a las 15:36, Robert Sharp escribió:
> On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
>> El 16/08/17 a las 09:40, Marek Szuba escribió:
>>> Two tiny bits of formal nitpicking from my side:
>>> - it's "grsecurity" (not a typo, they do use a lowercase g except when
>>> the name appears at the beginning of a sentence), not "grsec";
>>> - the patches were not *distributed by* grsecurity, they *are*
>>> grsecurity. The vendor's name is Open Source Security, Inc.
>> Nowadays it is, but this hasn't always been the case. You'll notice the
>> presence of a /dev/grsec and you'll also find grsec referenced accross
>> some old patches. Anyways I changed it.
>>
>> The same applies to Open Source Security, Inc. the company was founded
>> on 2008 but grsecurity has been around for much longer. That's why I
>> prefer to refer to Brad Spengler and The PaX team here as they are still
>> the real upstream behind Open Source Security, Inc.
>>
>>
> Would anyone like to outline a simple process to migrate from
> hardened-sources + hardened tool-chain to gentoo-sources?
>
Unless you want to drop userspace hardening (which most likely you don't
as it is still useful on vanilla kernels) a simple copy of the .config
file to gentoo sources followed by make oldconfig will work in the vast
majority of cases.

> Presumably if I just drag my config file across it will cause all
> sorts of problems?
>
Nah, not really, as long as you do oldconfig you should be fine. Most of
the config changes were compatimentalized under the grsecurity section.

> Do I need to work backwards through the hardening guide, for example?
>
Definitively not :)

On 08/16/2017 10:37 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>
>> Would anyone like to outline a simple process to migrate from
>> hardened-sources + hardened tool-chain to gentoo-sources?
>>
> Unless you want to drop userspace hardening (which most likely you don't
> as it is still useful on vanilla kernels) a simple copy of the .config
> file to gentoo sources followed by make oldconfig will work in the vast
> majority of cases.
>


There is one thing you have to watch out for: certain vanilla kernel
hardened features were subjugated to grsecurity ones and you'll probably
want to enable them. For example, you probably want CONFIG_VMAP_STACK
once you've switched, but it won't be enabled in your old .config
because it conflicts with GRKERNSEC_KSTACKOVERFLOW.

(It would help to collect those options on a wiki page?)

Am 16.08.2017 16:46 schrieb Michael Orlitzky:
> There is one thing you have to watch out for: certain vanilla kernel
> hardened features were subjugated to grsecurity ones and you'll
> probably
> want to enable them. For example, you probably want CONFIG_VMAP_STACK
> once you've switched, but it won't be enabled in your old .config
> because it conflicts with GRKERNSEC_KSTACKOVERFLOW.
>
> (It would help to collect those options on a wiki page?)

http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

That probably covers all relevant options on a vanilla kernel.