The end of Gentoo's hardened kernel [LWN.net]

The end of Gentoo's hardened kernel

Posted Aug 21, 2017 10:48 UTC (Mon) by basile (guest, #118169)
In reply to: The end of Gentoo's hardened kernel by cpitrat
Parent article: The end of Gentoo's hardened kernel

I am (or was) the maintainer for sys-kernel/hardened-sources in Gentoo. We're not going to fork nor maintain someone else's fork of the patchset for reasons already stated. 1) Any mistake will become the target of the Grsecurity team and 2) maintaining a 225,000 line patch is insane. Users have put pressure on me to fork but I'm convinced this is the right decision. I put a lot of work into integrating hardened-sources in Gentoo. There were a lot of userland accommodations that had to be made, and I'm unhappy about upstream's decision. I can only hope in time that they will reconsider as the fit between userland and the kernel widens on them. Gentoo + hardened-sources was perfect because Gentoo is a "from-source" distribution and so we were able to accommodate PaX right down to the code level. We lost something special.

to post comments

The end of Gentoo's hardened kernel

Posted Aug 21, 2017 11:38 UTC (Mon) by ovitters (guest, #27950) [Link] (1 responses)

> There were a lot of userland accommodations that had to be made

Could you expand on that? Thanks in advance!

The end of Gentoo's hardened kernel

Posted Aug 21, 2017 15:09 UTC (Mon) by prometheanfire (subscriber, #65683) [Link]

The simplest thing is that our build system had functionality to paxmark packages that were not able to function on a fully paxified kernel. Most of these were programs with RWX JIT implementations, a ton of work was/is done in firefox (upstream and downstream) to secure it for instance.