| 1 |
Hi! |
| 2 |
|
| 3 |
On Tue, Nov 25, 2008 at 06:39:26PM +0200, Jan Klod wrote: |
| 4 |
> Could you post a list of apps, that need PaX lifted? |
| 5 |
|
| 6 |
Most of this already done by portage when emerging apps, so you rarely |
| 7 |
need to do this manually. Few examples come in my mind is operawrapper for |
| 8 |
running complex Flash/Flex applications; mplayer for playing files in |
| 9 |
windows-related formats using codecs in .dll (media-libs/win32codecs); |
| 10 |
and OS Inferno which is virtual machine like Java but compiled manually |
| 11 |
(probably I'll create ebuild for it later). |
| 12 |
|
| 13 |
Also you have to switch off one item in kernel configuration (compared to |
| 14 |
typical config on servers): |
| 15 |
Security options ---> Grsecurity ---> Address Space Protection ---> |
| 16 |
[ ] Disable privileged I/O |
| 17 |
and may need to enable loadable modules support (also switched off on |
| 18 |
servers) to work with VMware or binary NVidia drivers etc. |
| 19 |
|
| 20 |
> Also there is another question: has anyone made some benchmarks to see how |
| 21 |
> much raw computing power (CPU+RAM access, which happen during some purely |
| 22 |
> computational task) decreases? |
| 23 |
|
| 24 |
There some available on internet, just google for it. AFAIR there was 2-5% |
| 25 |
slowdown compared to non-hardened system. |
| 26 |
I did my own tests several years ago when switching to hardened - same |
| 27 |
results: 2% slowdown for most operations, compiling a little more slower. |
| 28 |
|
| 29 |
Nothing noticeable on workstation to worry about unless you have ancient |
| 30 |
hardware which play mp3s using 100% CPU and will lag if you do anything |
| 31 |
else at same time. :) |
| 32 |
|
| 33 |
-- |
| 34 |
WBR, Alex. |
Archives