Have you thought in use other alternative apart grsec as kernel side solution?, PaX is PaX, its a great loss, but rsbac and selinux has their w or x, almost all cpu today has NX bit and reduce the needings of PageExec/SegmExec, and I think that exists some gcc plugins with PaX alike functions.
rsbac has their git public and selinux is in vanilla. Maybe you could consider to use rsbac git kernel as hardened-sources new kerneland solution but I have not tested selinux under this kernel Under rsbac pax userland is not needed, MPROTECT controls it and can be switched individually in kernel land because it is something like a request under rsbac. Not all functions of PaX, but good enough in my opinion On 23/06/17 18:28, Anthony G. Basile wrote: > Hi everyone, > > Since late April, grsecurity upstream has stop making their patches > available publicly. Without going into details, the reason for their > decision revolves around disputes about how their patches were being > (ab)used. > > Since the grsecurity patch formed the main core of our hardened-sources > kernel, their decision has serious repercussions for the Hardened Gentoo > project. I will no longer be able to support hardened-sources and will > have to eventually mask and remove it from the tree. > > Hardened Gentoo has two sides to it, kernel hardening (done via > hardened-sources) and toolchain/executable hardening. The two are > interrelated but independent enough that toolchain hardening can > continue on its own. The hardened kernel, however, provided PaX > protection for executables and this will be lost. We did a lot of work > to properly maintain PaX markings in our package management system and > there was no part of Gentoo that wasn't touched by issues stemming from > PaX support. > > I waited two months before saying anything because the reasons were more > of a political nature than some technical issue. At this point, I think > its time to let the community know about the state of affairs with > hardened-sources. > > I can no longer get into the #grsecurity/OFTC channel (nothing personal, > they kicked everyone), and so I have not spoken to spengler or pipacs. > I don't know if they will ever release grsecurity patches again. > > My plan then is as follows. I'll wait one more month and then send out > a news item and later mask hardened-sources for removal. I don't > recommend we remove any of the machinery from Gentoo that deals with PaX > markings. > > I welcome feedback. >
