According to grsecurity.net, gentoo is not using the latest grsecurity and that's causing problems for people. The fact that they're making gentoo look bad is more of a concern to me than grsecurity not being the latest. I'm filing this in case nobody noticed the notice on grsecurity.net in the hopes that somebody would update grsecurity or at least state the position of gentoo. Reproducible: Always Steps to Reproduce: 1. go to http://grsecurity.net or see bug 4268 for an example of weird problems with grsecurity.
The notice only displays if you click through from http://www.gentoo.org/doc/en/gentoo-security.xml, so it's not as bad as I thought.
hmm. pwd /usr/portage/sys-kernel/grsec-sources ls grsec-sources-2.4.23.1.9.13.ebuild Seems to be the latest (stable) one . oh , theres this too : grsec-sources-2.4.22.2.0_rc3-r1.ebuild
I'd like to get some input from the hardened team on this, because I thought they had a good relationship with the grsec people. That notice is not really something people with good relationships do to each other. I can only assume that notice refers to the ancient version of grsec in the ancient 2.4.20 based gentoo-sources. I'd be interested in getting feedback on removing grsec from gentoo-sources and suggesting the use of grsec-sources which is a much easier to maintain (and hence more uptodate) kernel with grsec.
Mail sent to spender@grsec about this topic. I want to see how he feels. -------- How I feel. Well again. I'm opposed to the idea personally. gentoo-sources is the sum of all our work and the removal of it I think would hurt our project. One of the first things that drew me to gentoo was the fact that grsec was included in the kernel. I later joined the project because these things were out of date. gentoo-sources is also the only kernel in portage where a user can have both speed and security.
I think the wording on the grsec site has been changed, but I'm not sure what was said between grsec people and solar, or what was decided about grsec in gentoo-sources. Any feedback? I, personally, would like to see grsec removed from gentoo-sources, because of the maintenance overhead. I think our people have better things to do with their time, like working on 2.6, but that's just my opinion. I'm closing this as LATER, reopen if you want to.
Simple.. Keep up to date.. I can help with this if need be.
solar, the biggest problem is, grsec was patch 9 of well over a hundred patches, it would take an act of god to back an invasive patch like that out from under over 100 other patches. Also, gentoo-sources will at some point be moving to 2.6, and there isn't a grsec for that (unless they've made huge strides since the last time I checked)
iggy, I think Brad Spengler was granted permission to further develop grsecurity by Bucknell University and will be spending the remainder of the semester on 2.6 and the role based access control system so thats why we dont see it yet. However fair enough I can understand the pain here. How we do about something like this because I don't want to let or see a separation of desktop and basic security go. We put PaX at the base for our non-executable memory, then take the basic feature set from grsecurity ourselves as it's pretty much just a collection of misc security patches itself with an acl/role system thrown on top. We totally leave out any extra acl/role system and ensure we always have such things as sysctl controllable statefull auditing features (LSM can't guarantee this for us) ro kmem, secure io, basic ptrace protections and a restricted proc. More or less the misc less intrusive parts we are willing to maintain ourselves. If we do this the only then the only bad pr that can happen would be from bugs in our porting efforts. I'm keeping the grsec-sources to up date so there should be no problem there. As far as 2.4.x goes we are at end of shelf life and spender is not really adding new features so we really should not have to update much more here. I think this is an ideal solution overall.
I won't try to tell iggy how to handle his project, that would be inappropriate. But I will give some suggestions. As far as I know (last i heard that is) spender is planning to rip out LSM for 2.6 grsec, while this is purely his prerogative I will say that it may not be something we should support in our mainline kernels. Most people probably don't use the grsec acl's anyway (else they'd use the grsec or hardened sources). The most important (IMO) part of grsec is PaX and some of the other non-acl features like proc restrictions, chroot restrictions, pid randomization, etc that are easy, free and prevent many vulnerabilities (especially chroot and ptrace based ones). While PaX can cause problems for people that don't know what they are doing (too many options enabled, etc) the others cause little or no problems and help prevent common problems. The solution I suggest to this is simple, drop grsec out of mainline kernels and add PaX (available for 2.6 already http://pax.grsecurity.net ) and add the upcoming openpax patches which add the missing non-acl grsec features. This will fit cleanly with LSM, won't cause excessive management and add desperately needed features (even on desktop/workstations)
Brian Jackson, I need you to comment on this so that we may move forward or find an alternative solution.
The next version of gentoo-sources probably won't have grsec, I'll put a big ewarn telling people to use grsec-sources if they need it. I'll even put a note in one of the config.in's telling them to try grsec-sources. I won't have a problem looking at some of the less invasive bits seperately when they are available.