Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardened sources - does it make sense without PaX
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
Uzytkownik
Guru
Guru


Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US

PostPosted: Wed Jan 11, 2017 7:25 pm    Post subject: Hardened sources - does it make sense without PaX Reply with quote

I tried to run hardened Gentoo but I discovered that PaX is breaking too much. Are there any benefits to hardened sources w/out PaX?
_________________
I've probably left my head... somwhere. Please wait untill I find it.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7070
Location: almost Mile High in the USA

PostPosted: Wed Jan 11, 2017 11:44 pm    Post subject: Reply with quote

Security is always a tradeoff for convenience.

If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...

To quantify the security loss, it all depends on the person hacking your machine...
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Uzytkownik
Guru
Guru


Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US

PostPosted: Thu Jan 12, 2017 12:59 am    Post subject: Reply with quote

eccerr0r wrote:
Security is always a tradeoff for convenience.

If you're willing to sacrifice security (PaX) to get convenience (less breakage) then sure...

To quantify the security loss, it all depends on the person hacking your machine...


Yeah sure. My question was rather if hardened sources - Pax == vanilla sources or there is some hardening even without PaX/Grsecurity enabled.
_________________
I've probably left my head... somwhere. Please wait untill I find it.
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7070
Location: almost Mile High in the USA

PostPosted: Thu Jan 12, 2017 1:11 am    Post subject: Reply with quote

A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...

I view it as all or nothing.

Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
Uzytkownik
Guru
Guru


Joined: 31 Oct 2004
Posts: 399
Location: Bay Area, US

PostPosted: Thu Jan 12, 2017 1:19 am    Post subject: Reply with quote

eccerr0r wrote:
A lot of the security things are needed in conjunction with each other - removing one will weaken the remaining...

I view it as all or nothing.


I think there are at least some shadows of grey between running military grade SELinux installation and ignoring error about self-signed certificate when you enter bank website... Security is obviously not all-or-nothing but need to be balanced against usability.

eccerr0r wrote:
Most of my machines I just run nothing and depend on correctness by design... Yeah...right... Convenience ended up winning out.


I think you are answering not the question I am asking I am afraid. In my threat model I deem hardening as nice to have but not strictly necessary. I would like to just know if hardened sources contain any improvement other then PaX itself.
_________________
I've probably left my head... somwhere. Please wait untill I find it.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13607

PostPosted: Thu Jan 12, 2017 2:30 am    Post subject: Reply with quote

That depends on exactly what you disable at build time and/or runtime, but generally, yes, grsecurity includes a large number of security-related changes, not all of which require PaX enabled in order for them to function. Your other option is to describe some of the breaks that PaX is causing. Despite not being part of the upstream kernel, PaX is fairly widely used, so it is likely that other users have encountered any problems it causes and may be able to help you.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum