sys-kernel/grsecurity-sources available!

Is known that the grsecurity project since few weeks made available the grsecurity patches only for their customers. In the meantime some people made their fork of the latest publicly available patches.

At Gentoo, for some reasons (which I respect) explained by the news item and on the mailing lists, the maintainer decided to drop the hardened-sources package at the end of September 2017

Then, I decided to make my own ebuild that uses the Genpatches plus the Unofficial forward ports of the last publicly available grsecurity patch.

Before you wondering about the code of the ebuild, let me explain the logic used:

1) The ebuild was done in this way because the version bump should result in a copy-paste on the ebuild side.
2) I don’t use the GENPATCHES variable from the kernel eclass because of the previously explained point 1.
3) I generate the tarball via a bash script which takes the genpatches, take the unofficial-grsecurity-patches and deletes the unwanted patches from the genpatches tarball (i.e. in hardened-sources we had UNIPATCH_EXCLUDE=”1500_XATTR_USER_PREFIX.patch 2900_dev-root-proc-mount-fix.patch”).
4) I don’t use the UNIPATCH_EXCLUDE variable because because of the previously explained point 3.

Don’t expect a version bump on each minor release unless there are critical bugs and/or dangerous security bugs. So please not file version bump requests on bugzilla.

If you have any issue regarding grsecurity itself, please file a bug on the github issue tracker and if you will mention the issue elsewhere, please specify that the issue is with the unofficial grsecurity port. This will avoid to “damage” the grsecurity image/credibility.

The ebuild is available into my overlay
If you have trouble on how to install that ebuild, please follow the layman article on our wiki, basically you need:

root ~ $ layman -S && layman -a ago

USE IT AT YOUR OWN RISK 😉

This entry was posted in gentoo, security. Bookmark the permalink.

10 Responses to sys-kernel/grsecurity-sources available!

  1. Roy Bamford says:

    Reading between the lines, this appears to be death by 1000 cuts as no new features from the now closed grsecurity patch set will be added and meanwhile, you “take the unofficial-grsecurity-patches and deletes the unwanted patches.”

    Patches can be unwanted for two reasons:-
    a) the feature is merged upstream somehow, so the patch is not required.
    b) the patch no longer applies and the feature is dropped.

    The end result is a dilution of security provided by the remaining unofficial-grsecurity-patches and a movement towards that provided by the main line kernel.

    Reply
    • ago says:

      Maybe I had to explain better that point. The ebuild is basically a copy-paste of hardened-sources. In hardened-sources we have: UNIPATCH_EXCLUDE=” 1500_XATTR_USER_PREFIX.patch 2900_dev-root-proc-mount-fix.patch” Those patches come from the Genpatches. Since I do not pull the genpatches archive in the ebuild and instead I made the tarball by myself I avoid to include those patches and then use the UNIPATCH_EXCLUDE variable. That’s it!

      Reply
  2. Roy Bamford says:

    Thank you fort the additional clarification.

    Reply
  3. Arach says:

    The authors of Grsecurity might disagree on the naming of the ebuild, though. Grsecurity is a trademark that has been abused by some large corporations in the past. Please, consider reading this: https://grsecurity.net/announce.php
    IMHO, renaming the ebuild to something like sys-kernel/unofficial-grsec-sources or sys-kernel/minipli-sources would be nice.

    Reply
  4. Kalle says:

    Thanks for your efforts! Sounds great.

    I have a question related the relationship between your efforts and “https://github.com/copperhead/linux-hardened”: As I understand, the latter one extracts the features from Grsec (including Pax) from the last “published” GrSecurity kernel patches and include them into their own patchset, but go into their own future direction?! On the other hand, you preserve the last “published” GrSecurity kernel patch and make it usable with future “vanilla-kernels”. Is this understanding right?

    Additionally my second question is about the Pax support from Gentoo’s side, because the kernel is only one part of the whole thing. Will they keep this alive?

    Best regards

    Reply
  5. Kalle says:

    And whats about gradm in this scenario?

    Reply
  6. Kalle says:

    Installed your sources. Seems to work. Thanks again!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *