Unofficial hardened-sources ebuilds?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Unofficial hardened-sources ebuilds?

Alex Efros-4
Hi!

Quoting news item:

> As an alternative, for users happy keeping themselves on the stable
> 4.9 branch of the kernel minipli, another Grsec user, is forward
> porting the patches on [3].
>
> Strcat from Copperhead OS is making his own version of the patches
> forward ported to the latest version of the Linux tree at [4].
>
> The Gentoo Hardened team can't make any statement regarding the
> security, reliability or update availability of either those patches
> as we aren't providing them and can't therefore make any
> recommendation regarding their use.
>
> We'd like to note that all the userspace hardening and MAC support
> for SELinux provided by Gentoo Hardened will still remain there and
> is unaffected by this removal.
>
> [3] https://github.com/minipli/linux-unofficial_grsec
> [4] https://github.com/copperhead/linux-hardened

Sounds cool, but is anyone is going to provide ebuilds for these kernels?
Not official, but having these in some overlay is better than nothing.

--
                        WBR, Alex.

Reply | Threaded
Open this post in threaded view
|

Re: Unofficial hardened-sources ebuilds?

philipp.ammann
Am 15.08.2017 21:13 schrieb Alex Efros:
> [...]
>>
>> [3] https://github.com/minipli/linux-unofficial_grsec
>> [4] https://github.com/copperhead/linux-hardened
>
> Sounds cool, but is anyone is going to provide ebuilds for these
> kernels?
> Not official, but having these in some overlay is better than nothing.

You don't really need an ebuild. What I do is manually install
sys-devel/bc and then:

cd /usr/src
git clone --single-branch --branch=linux-4.9.x-unofficial_grsec  
git://github.com/minipli/linux-unofficial_grsec.git grsec
ln -s grsec linux

(You 'need' the linux symlink for ebuilds to be able to check .config
options)

Whenever there is a new release simply run 'git pull'.

Cheers
Philipp



Reply | Threaded
Open this post in threaded view
|

Re: Unofficial hardened-sources ebuilds?

Alex Efros-4
Hi!

On Tue, Aug 15, 2017 at 10:39:30PM +0200, [hidden email] wrote:
> You don't really need an ebuild. What I do is manually install
> sys-devel/bc and then:
...
> Whenever there is a new release simply run 'git pull'.

Ebuild is anyway useful - if it's not -9999 then it let me control which
version (tag) will be installed at all my servers using standard
portage-way (/etc/portage/package.*). With git I'll have to do manual `git
checkout TAG` on every server to get same (tested) version everywhere.

--
                        WBR, Alex.