On Fri, 2017-06-23 at 19:09 +0200, Javier Juan Martinez Cabezon wrote: > Have you thought in use other alternative apart grsec as kernel side > solution?, PaX is PaX, its a great loss, but rsbac and selinux has > their > w or x, almost all cpu today has NX bit and reduce the needings of > PageExec/SegmExec, and I think that exists some gcc plugins with PaX > alike functions. > > rsbac has their git public and selinux is in vanilla. Maybe you could > consider to use rsbac git kernel as hardened-sources new kerneland > solution but I have not tested selinux under this kernel > > Under rsbac pax userland is not needed, MPROTECT controls it and can > be > switched individually in kernel land because it is something like a > request under rsbac. Not all functions of PaX, but good enough in my > opinion > > On 23/06/17 18:28, Anthony G. Basile wrote: > > > > Hi everyone, > > > > Since late April, grsecurity upstream has stop making their patches > > available publicly. Without going into details, the reason for > > their > > decision revolves around disputes about how their patches were > > being > > (ab)used. > > > > Since the grsecurity patch formed the main core of our hardened- > > sources > > kernel, their decision has serious repercussions for the Hardened > > Gentoo > > project. I will no longer be able to support hardened-sources and > > will > > have to eventually mask and remove it from the tree. > > > > Hardened Gentoo has two sides to it, kernel hardening (done via > > hardened-sources) and toolchain/executable hardening. The two are > > interrelated but independent enough that toolchain hardening can > > continue on its own. The hardened kernel, however, provided PaX > > protection for executables and this will be lost. We did a lot of > > work > > to properly maintain PaX markings in our package management system > > and > > there was no part of Gentoo that wasn't touched by issues stemming > > from > > PaX support. > > > > I waited two months before saying anything because the reasons were > > more > > of a political nature than some technical issue. At this point, I > > think > > its time to let the community know about the state of affairs with > > hardened-sources. > > > > I can no longer get into the #grsecurity/OFTC channel (nothing > > personal, > > they kicked everyone), and so I have not spoken to spengler or > > pipacs. > > I don't know if they will ever release grsecurity patches again. > > > > My plan then is as follows. I'll wait one more month and then send > > out > > a news item and later mask hardened-sources for removal. I don't > > recommend we remove any of the machinery from Gentoo that deals > > with PaX > > markings. > > > > I welcome feedback. > > > >
How do I play with RSBAC, there is nice wiki pages etc but al the ebuilds are removed from portage? Regards: Cor
signature.asc
Description: This is a digitally signed message part
