| 1 |
Am Sonntag, 24. Februar 2008 schrieb 7v5w7go9ub0o: |
| 2 |
> The hardened toolchain'll protect you outright against some types of |
| 3 |
> memory attacks; GRSEC'll provide additional PAX protections; putting |
| 4 |
> net-clients into the much-harder jails provided by some hardened kernels |
| 5 |
> (e.g. grsecurity) will confine damage (e.g. my browsers, mail clients, |
| 6 |
> media players, chat client, ooffice, etc. are each in their own |
| 7 |
> hardened-chroot jail), plus RBAC will stop a browser that suddenly |
| 8 |
> decides to browse about the box (well, within the jail :-) ) looking for |
| 9 |
> information, or trying to effect changes. |
| 10 |
Did you (or anybody else here) already set up some chroot/jail/other |
| 11 |
restrictions for a browser like Konqueror with grsec/RSBAC? How does it |
| 12 |
look like? It's hard for me to image what to restrict without dramatically |
| 13 |
cut down the usefullness of the program. And how to deal with spontaneous |
| 14 |
exceptions to the rules (like limiting to ports 80 and 443 and then wanting |
| 15 |
to contact port 8080). |
Archives