1 |
Hi again, people, |
2 |
|
3 |
If you don't have any further ideas/thoughts/objections/whatever, I'll |
4 |
finally start working on Secure Gentoo (or whatever the name is) now. |
5 |
I've had a few time problems lately, so I'm sorry I haven't got started |
6 |
earlier. |
7 |
|
8 |
What I'm going to do: |
9 |
* Make a profile with a small (minimal) set of apps, and slowly expand |
10 |
it as I get more packages done/patched. |
11 |
* Make a kernel patch, probably based on the Gentoo kernel, but with |
12 |
GrSecurity, kerneli, a few netfilter patches etc. |
13 |
* Patch packages with patches from the Owl GNU/*/Linux project (of which |
14 |
I am lucky to be a currently idling developer), and make ACLs for each |
15 |
app. |
16 |
|
17 |
My original intent was to use LIDS, but I've somewhat changed my mind. |
18 |
The ACL system in grsec has matured greatly lately, and I'm trying it |
19 |
out as we speak. Have any of you got any experiences or thoughts on this |
20 |
you want to share? |
21 |
|
22 |
I've got a few questions, too: |
23 |
Will the Gentoo kernel use Andrea Arcangeli's VM or Rik van Riel's (-aa |
24 |
or rmap)? |
25 |
How will this be done practically? I'm thinking in particular about the |
26 |
freeze, and the proposed unstable branch. |
27 |
How paranoid should it be? My first plan was to create ACLs for each and |
28 |
every binary and deny almost everything else, but that might be too |
29 |
paranoid for most people. What do you think? How about three security |
30 |
levels (no ACLs, normal ACLs and very strict ACls)? |
31 |
|
32 |
Any other thoughts and ideas will be greatly appreciated :) |
33 |
|
34 |
-- |
35 |
Joachim Blaabjerg |
36 |
styx@×××××.org |
37 |
www.SuxOS.org |