Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

Francisco Blas Izquierdo Riera (klondike)
El 15/08/17 a las 17:01, Francisco Blas Izquierdo Riera (klondike) escribió:

> Hi!
>
> I'd like to get this one up by Saturday so that we can proceed with
> masking and removing of the hardened-sources after upstream stopped
> releasing new patches.
>
> This is my first time writting a news item so all input will be appreciated.
>
> As for the rationale behind this, we need to clearly inform users as to
> the options available for hardening their system kernels after the
> removal of the hardened-sources.
>
> Sincerely,
> Klondike
>
Updated the news item following comments from dilfridge, mrueg and
floppym. Also made it display to users of hardened profiles.


2017-08-19-hardened-sources-removal.en.txt (2K) Download Attachment
signature.asc (845 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

Francisco Blas Izquierdo Riera (klondike)
El 15/08/17 a las 18:08, Ulrich Mueller escribió:

>>>>>> On Tue, 15 Aug 2017, Francisco Blas Izquierdo Riera (klondike) wrote:
>> Updated the news item following comments from dilfridge, mrueg and
>> floppym. Also made it display to users of hardened profiles.
> Some very minor comments:
>
>> Author: Francisco Blas Izquierdo Riera (klondike) <[hidden email]>
> Format of the line is "Real Name <email@address>", so I'd suggest to
> drop the nick in parentheses, especially since it is there in the
> e-mail address anyway.
>
>> Because of that we will be masking the hardened-sources on the 27th of
>> August and will proceed to remove then from the tree by the end of
>> September. [...]
> s/then/them/
>
>> As an alternative, for users happy keeping themselves on the  stable
>> 4.9 branch of the kernel minipli, another Grsec user, is forward
>> porting the patches on [3].
> I had difficulties parsing this sentence. Insert a comma after
> "kernel"? Also there is spurious whitespace before "stable".
>
> Ulrich
Thanks for your input, I have addressed your comments on the attached
news item.

I have also added a note regarding the other PaX related packages as
these won't stil be removed.


Klondike


2017-08-19-hardened-sources-removal.en.txt (2K) Download Attachment
signature.asc (845 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

Francisco Blas Izquierdo Riera (klondike)
In reply to this post by Francisco Blas Izquierdo Riera (klondike)
El 16/08/17 a las 09:40, Marek Szuba escribió:
> Two tiny bits of formal nitpicking from my side:
>  - it's "grsecurity" (not a typo, they do use a lowercase g except when
> the name appears at the beginning of a sentence), not "grsec";
>  - the patches were not *distributed by* grsecurity, they *are*
> grsecurity. The vendor's name is Open Source Security, Inc.

Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.



2017-08-19-hardened-sources-removal.en.txt (3K) Download Attachment
signature.asc (845 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

Robert Sharp
On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
El 16/08/17 a las 09:40, Marek Szuba escribió:
Two tiny bits of formal nitpicking from my side:
 - it's "grsecurity" (not a typo, they do use a lowercase g except when
the name appears at the beginning of a sentence), not "grsec";
 - the patches were not *distributed by* grsecurity, they *are*
grsecurity. The vendor's name is Open Source Security, Inc.
Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.


Would anyone like to outline a simple process to migrate from hardened-sources + hardened tool-chain to gentoo-sources? Presumably if I just drag my config file across it will cause all sorts of problems? Do I need to work backwards through the hardening guide, for example?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

Francisco Blas Izquierdo Riera (klondike)
El 16/08/17 a las 15:36, Robert Sharp escribió:
On 16/08/17 11:09, Francisco Blas Izquierdo Riera (klondike) wrote:
El 16/08/17 a las 09:40, Marek Szuba escribió:
Two tiny bits of formal nitpicking from my side:
 - it's "grsecurity" (not a typo, they do use a lowercase g except when
the name appears at the beginning of a sentence), not "grsec";
 - the patches were not *distributed by* grsecurity, they *are*
grsecurity. The vendor's name is Open Source Security, Inc.
Nowadays it is, but this hasn't always been the case. You'll notice the
presence of a /dev/grsec and you'll also find grsec referenced accross
some old patches. Anyways I changed it.

The same applies to Open Source Security, Inc. the company was founded
on 2008 but grsecurity has been around for much longer. That's why I
prefer to refer to Brad Spengler and The PaX team here as they are still
the real upstream behind Open Source Security, Inc.


Would anyone like to outline a simple process to migrate from hardened-sources + hardened tool-chain to gentoo-sources?

Unless you want to drop userspace hardening (which most likely you don't as it is still useful on vanilla kernels) a simple copy of the .config file to gentoo sources followed by make oldconfig will work in the vast majority of cases.

Presumably if I just drag my config file across it will cause all sorts of problems?

Nah, not really, as long as you do oldconfig you should be fine. Most of the config changes were compatimentalized under the grsecurity section.

Do I need to work backwards through the hardening guide, for example?

Definitively not :)

signature.asc (845 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

Michael Orlitzky
On 08/16/2017 10:37 AM, Francisco Blas Izquierdo Riera (klondike) wrote:
>>>
>> Would anyone like to outline a simple process to migrate from
>> hardened-sources + hardened tool-chain to gentoo-sources?
>>
> Unless you want to drop userspace hardening (which most likely you don't
> as it is still useful on vanilla kernels) a simple copy of the .config
> file to gentoo sources followed by make oldconfig will work in the vast
> majority of cases.
>


There is one thing you have to watch out for: certain vanilla kernel
hardened features were subjugated to grsecurity ones and you'll probably
want to enable them. For example, you probably want CONFIG_VMAP_STACK
once you've switched, but it won't be enabled in your old .config
because it conflicts with GRKERNSEC_KSTACKOVERFLOW.

(It would help to collect those options on a wiki page?)

Reply | Threaded
Open this post in threaded view
|

Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal

philipp.ammann
Am 16.08.2017 16:46 schrieb Michael Orlitzky:
> There is one thing you have to watch out for: certain vanilla kernel
> hardened features were subjugated to grsecurity ones and you'll
> probably
> want to enable them. For example, you probably want CONFIG_VMAP_STACK
> once you've switched, but it won't be enabled in your old .config
> because it conflicts with GRKERNSEC_KSTACKOVERFLOW.
>
> (It would help to collect those options on a wiki page?)

http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

That probably covers all relevant options on a vanilla kernel.