On Sun, Apr 15, 2018 at 7:04 PM, Anthony G. Basile <bluen...@gentoo.org> wrote:
> Hi everyone,
>
> Magnus (aka Zorry) and I have been talking about what to do with PaX in
> the Gentoo tree. A year ago, grsecurity.net upstream stopped providing
> open versions of their patches to the community and this basically
> brought an end to sys-kernel/hardened-sources. I waited a while before
> masking the package in the hope that upstream might reconsider. There
> were also some forks but I didn't have much confidence in them. I'm not
> sure that any of these forks have been able to keep up past
> meltdown/specter.
>
> It may be time to remove sys-kernel/hardened-sources completely from the
> tree. Removing the package is easy, but the issue is there is a lot of
> machinery in the tree that revolves around supporting a PaX kernel.
> This involves things like setting PaX flags on some executables either
> by touching the ELF program headers or the file's extended attributes,
> or applying custom patches.
>
> The question then is, do we remove all this code? As thing stands, its
> just lint that serves no current purpose, so removing it would clean
> things up. The disadvantage is it would be a pita to ever restore it if
> we ever wanted it back. While upstream doesn't provide their patch for
> free, some users/companies can purchase the grsecurity patches and still
> use a custom hardened-sources kernel with Gentoo. But since we haven't
> been able to test the pax markings/custom patches in about a year, its
> hard to say how useful that code might still be.
>
> I'm just emailing everyone to get advice.
>
I retain hope that compatible features will be added to the kernel.
Consequently, I would appreciate if the machinery can be left. If it
becomes a maintenance burden in the future I suspect that would be a
good time to remove it.
Cheers,
R0b0t1
