| 1 |
Hi again, people, |
| 2 |
|
| 3 |
If you don't have any further ideas/thoughts/objections/whatever, I'll |
| 4 |
finally start working on Secure Gentoo (or whatever the name is) now. |
| 5 |
I've had a few time problems lately, so I'm sorry I haven't got started |
| 6 |
earlier. |
| 7 |
|
| 8 |
What I'm going to do: |
| 9 |
* Make a profile with a small (minimal) set of apps, and slowly expand |
| 10 |
it as I get more packages done/patched. |
| 11 |
* Make a kernel patch, probably based on the Gentoo kernel, but with |
| 12 |
GrSecurity, kerneli, a few netfilter patches etc. |
| 13 |
* Patch packages with patches from the Owl GNU/*/Linux project (of which |
| 14 |
I am lucky to be a currently idling developer), and make ACLs for each |
| 15 |
app. |
| 16 |
|
| 17 |
My original intent was to use LIDS, but I've somewhat changed my mind. |
| 18 |
The ACL system in grsec has matured greatly lately, and I'm trying it |
| 19 |
out as we speak. Have any of you got any experiences or thoughts on this |
| 20 |
you want to share? |
| 21 |
|
| 22 |
I've got a few questions, too: |
| 23 |
Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa |
| 24 |
or rmap)? |
| 25 |
How will this be done practically? I'm thinking in particular about the |
| 26 |
freeze, and the proposed unstable branch. |
| 27 |
How paranoid should it be? My first plan was to create ACLs for each and |
| 28 |
every binary and deny almost everything else, but that might be too |
| 29 |
paranoid for most people. What do you think? How about three security |
| 30 |
levels (no ACLs, normal ACLs and very strict ACls)? |
| 31 |
|
| 32 |
Any other thoughts and ideas will be greatly appreciated :) |
| 33 |
|
| 34 |
-- |
| 35 |
Joachim Blaabjerg |
| 36 |
styx@×××××.org |
| 37 |
www.SuxOS.org |
Archives