phoronix covers my work on OpenPaX, a patch to restore userspace W^X and some other common sense functionality from PaX: https://www.phoronix.com/news/Edera-OpenPaX-Announced
-
phoronix covers my work on OpenPaX, a patch to restore userspace W^X and some other common sense functionality from PaX: https://www.phoronix.com/news/Edera-OpenPaX-Announced
this patch is the cornerstone of the new βalpine hardenedβ project, which is intended to produce a spin of alpine which is similar to the old grsecurity days of alpine.
-
Ariadne Conill π°:therian:replied to Ariadne Conill π°:therian: last edited by
as iβm sure spender will be irritated by this coverage, i will just point to https://grsecurity.net/passing_the_baton
thanks for the baton dude, Iβm just following your instructions
-
gaytabasereplied to Ariadne Conill π°:therian: last edited by
@ariadne well gosh if it bothered them, they could always have kept on maintaining it themselves.
-
ninareplied to Ariadne Conill π°:therian: last edited by
@ariadne is this going to be just a git tree, or are there going to be patches for stable releases or at least repo tags? i'd be interested in providing a kernel build flavor, but the way that would be done depends on how this is distributed
-
Ariadne Conill π°:therian:replied to nina last edited by
@q66 there is a monolithic patch option available at distfiles.ariadne.space/openpax
-
ninareplied to Ariadne Conill π°:therian: last edited by
@ariadne ah, i did not see that linked anywhere
doesn't look too bad; if i understand this right, everything is on by default, unless disabled via xattr?
-
Ariadne Conill π°:therian:replied to nina last edited by
@q66 correct. it is only the modern PaX experience which is reproduced. i dropped all legacy stuff.
-
Ariadne Conill π°:therian:replied to Ariadne Conill π°:therian: last edited by
anyway, OpenPaX is (obviously) not a complete reimplementation of grsecurity. it is only a few months old.
our goal is to upstream things to @torvalds as we have increased confidence in them.
so this will probably start with ASLR hardening first, and then userspace W^X.
next on my list of new development is UDEREF, followed by KERNEXEC. but this will happen after the upstreaming work, most likely.
-
Eloyreplied to Ariadne Conill π°:therian: last edited by
-
γγ£γΌγΈγ§γΌγ°γ¬γ§replied to Ariadne Conill π°:therian: last edited by
@ariadne As someone who used Adamantix way back in the day, good luck on upstreaming that kind of stuff.
You'll probably need it.
-
Ariadne Conill π°:therian:replied to γγ£γΌγΈγ§γΌγ°γ¬γ§ last edited by
@teajaygrey i think it is possible. we just have to show that the userspace contract is not materially violated.
for example, the main point of pushback against userspace W^X was that PaX included NX-bit emulation for old CPUs. OpenPaX does not bother with this because basically every CPU sold in the past 20 years has NX-bit.
additionally: systemd already got opt-in userspace W^X as a prctl upstream
-
-
Ariadne Conill π°:therian:replied to like jam or bootlaces last edited by
@idlestate @eloy @torvalds yes, that is part of it. nobody knows who "The PaX team" is.
well, presumably spender knows.
but the kernel community sure doesn't...
-
F. Maury βreplied to Ariadne Conill π°:therian: last edited by
@ariadne FWIW, it's Spengler, not spender
-
F. Maury βreplied to Ariadne Conill π°:therian: last edited by
-
Ariadne Conill π°:therian:replied to F. Maury β last edited by
-
Ariadne Conill π°:therian:replied to F. Maury β last edited by
@x_cli spender is his irc nickname
