On 6/24/17 6:04 AM, Alexis Ballier wrote: > On Fri, 23 Jun 2017 12:28:27 -0400 > "Anthony G. Basile" <bluen...@gentoo.org> wrote: > >> Hardened Gentoo has two sides to it, kernel hardening (done via >> hardened-sources) and toolchain/executable hardening. The two are >> interrelated but independent enough that toolchain hardening can >> continue on its own. The hardened kernel, however, provided PaX >> protection for executables and this will be lost. We did a lot of >> work to properly maintain PaX markings in our package management >> system and there was no part of Gentoo that wasn't touched by issues >> stemming from PaX support. > > > Good luck to them at providing a complete userland ecosystem for using > pax protection. Good luck at getting people accept and review their > often crashing asm patches at upstream projects that won't even be able > to test their benefits. > > Maybe we should start a business for this ? :) > http://static.sstic.org/videos2015/SSTIC_2015-06-03_P08_CLIP.mp4 > (This is for Patrice)
Correct. Zorry, myself and others on the hardened team did a lot to make userland play nice with the hardened-kernel. It represents most of my effort in Gentoo. > > > > We'll need to decide what to do with things like USE=pic. For media > packages this is not something you usually want to enable as you can > bear the 10Mb relocations at startup to have 10% or more performance > improvement when reading your 2hours long movie. It will be a mess going forward. We will necessarily have to start dropping pax related stuff, if for no other reason than we can't support making a package work under pax if we have no pax enabled kernel to test on. Once this is gone, such bugs will float upstream to pipacs and spender. "Good luck" is right. > > > Alexis. > -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
