[rb-general] Question about reproducible builds for PaX/Grsecurity

Shawn citypw at gmail.com
Sat Jun 10 17:23:17 CEST 2017


Hi Chris,

On Sat, Jun 10, 2017 at 9:53 PM, Chris Lamb <lamby at debian.org> wrote:
> Dear Shawn,
>
>> I've been to Chris Lamb's presentation at HKOSCON and it's really glad
>> to see such high percentage of packaging coverage in Debian GNU/Linux
>> distro.
>
> Thank you for your kind words. However, whilst the presentation was mine,
> the Reproducible Builds effort is very much a team thing :)
>
>> Because reproducible builds for PaX/Grsecurity requires the same seed
>> if Grsec's RANDSTRUCT was enabled.
>
> For anyone following along here:
>
>   GRKERNSEC_RANDSTRUCT
>   If you say Y here, the layouts of a number of sensitive kernel
>   structures (task, fs, cred, etc) and all structures composed entirely
>   of function pointers (aka "ops" structs) will be randomized at compile-time.
>
> <https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures>
>
>> So my question is as a GNU/Linux distro, who's manage the seed?
>
> So, starting at:
>
>   https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/linux-grsec.html
>
> .. this links to the following bugs:
>
>  * GRKERNSEC_RANDSTRUCT shouldn't be enabled
>    <https://bugs.debian.org/814787>
>
>  * Grsec's RANDSTRUCT and Reproducible Builds
>    <https://bugs.debian.org/816439>
>
> The latter has a patch from Steven Chamberlain :)
>
Steven's patch is basically what we've done in our implementation:

https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=816439;filename=linux-grsec_4.6.3-1%2Bgrsec201607062159%2B1.debdiff;msg=34

Thanks, it can be work out that way.



-- 
GNU powered it...
GPL protect it...
God blessing it...

regards
Shawn


More information about the rb-general mailing list