Talk:Hardened Kernel

Article naming

Hi guys, welcome to the Gentoo wiki! Generally speaking, we keep things pretty clean around here. Most of our articles pages keep single spaces (" ") for multi-word article names. With my nit-pickiness aside, it may be better to call this project something else, as we already have a Hardened Project. Also, I haven't considered community projects (I.E. unofficial Gentoo projects) officially being hosted by our wiki, but I will see what I can do to help you out. Maybe I can design a Community Project template or something. :)

Kind regards, --Maffblaster (talk) 03:35, 27 April 2017 (UTC)

Maffblaster,

Thanks for the welcome! I realize that this is not the kind of project that usually will find its home on the gentoo wiki. In light of what went down yesterday (grsec going private: https://grsecurity.net/passing_the_baton.php) I felt the need to rally/organize the open source community to action. I was talking with quantumsummers in gentoo-hardened and I thought that a wiki page to track progress would be of use. If any of what I did was wrong/against policy blame me, if any of this sounds like a good idea give credit to quantumsummers.

The nature of this project is technically distro independent, however with the desire to maintain hardened-sources and many interested people in #gentoo-hardened we thought this would be as good of a home as any.

I can move the page name if you would like, or if you want to design a Community Project template that sounds awesome!

thanks again,

— The preceding unsigned comment was added by Nmatt (talk • contribs) 07:21, April 27, 2017‎

I think Community Projects (here on the wiki) sound like an interesting idea, so I'll toy with it a bit. It may fail, or it may turn out to be kind of a neat development for our community. My overall desire is that this wiki (due to the nature of Gentoo having a history of being on the front lines of new tech) would be the most up-to-date and comprehensive Linux related wiki available on the web. We welcome new ideas and projects. It's good for Gentoo and good for open source. --Maffblaster (talk) 15:24, 27 April 2017 (UTC)

No Hardened project involvement

Hi guys,

I find it encouraging and very positive that you are trying to keep the kernel hardening protections alive. However, I do want to suggest not to call it "Hardened Kernel" (as we already have a hardened kernel project) or put it under the "Hardened" umbrella, as that implies ownership and steering by the Gentoo Hardened project.

The suggestion to use this as a community project, as mentioned by Maffblaster, makes sense to me. If you try to find a nice project name, then I personally don't mind to keep it on the Gentoo wiki as a community project if your main intention is to provide it as a Gentoo community service.

But considering the scope, I think you aim higher than just Gentoo. The aim is to provide a ported (and perhaps in the future extended) kernel hardening which can be used by other projects as well. Wouldn't it make more sense to use the Github wiki as the main focus area for development, and use the Gentoo wiki as a sort-of proxy site where you talk about the project a bit, and then how to use it on Gentoo?

--SwifT (talk) 16:57, 6 May 2017 (UTC)

SwifT,

Yeah I see your point. I'll start on porting the wiki over to Github and let you know when we don't need this page anymore. I would like to stay in contact with the Hardened project since one of my personal motivations for this project is that hardened- sources would continue. — The preceding unsigned comment was added by Nmatt (talk • contribs) 06:42, May 7, 2017‎

OK we have migrated. I wiped the wiki content and just put a link to our wiki on github. I will leave this for about a week if that's cool and then we can remove this page altogether.

--Nmatt (talk) 13:37, 15 May 2017 (UTC)

Trusted Path Execution (TPE)

Hi guys,

It would be great to add simple but very usefull concept - Trusted Path Execution (TPE) to prevent unwanted user code to run. May be improved fork (https://github.com/cormander/tpe-lkm) will be prefer.

--Alexminder 14:33, 10 May 2017 (UTC)

Would a port of grsecurity's Trusted Patch Execution work? See https://en.wikibooks.org/w/index.php?title=Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Trusted_Path_Execution_.28TPE.29

I don' think it would be that hard to port this feature. I think I might run into some friction upstreaming this feature since it can be done with SELinux. Would you be willing to port this feature to mainline? If you want to work on it together we could find a time to meet up on IRC to hash out a plan.

--Nmatt (talk) 18:55, 11 May 2017 (UTC)

Well I got bored yesterday and pulled out grsecurity's Trusted Path Execution and adapted it into a simple patch.

https://github.com/nmatt0/linux-hardened/commit/6fbcddcc7acf5fe0143623dae180afc23e1fd8a4

I tested this briefly last night and it seemed to work correctly. Let me know what you think. I will be submitting this to strcat as a PR to the linux-hardened repo(https://github.com/thestinger/linux-hardened)

--Nmatt (talk) 16:07, 12 May 2017 (UTC)