1 |
Am Sonntag, 24. Februar 2008 schrieb 7v5w7go9ub0o: |
2 |
> The hardened toolchain'll protect you outright against some types of |
3 |
> memory attacks; GRSEC'll provide additional PAX protections; putting |
4 |
> net-clients into the much-harder jails provided by some hardened kernels |
5 |
> (e.g. grsecurity) will confine damage (e.g. my browsers, mail clients, |
6 |
> media players, chat client, ooffice, etc. are each in their own |
7 |
> hardened-chroot jail), plus RBAC will stop a browser that suddenly |
8 |
> decides to browse about the box (well, within the jail :-) ) looking for |
9 |
> information, or trying to effect changes. |
10 |
Did you (or anybody else here) already set up some chroot/jail/other |
11 |
restrictions for a browser like Konqueror with grsec/RSBAC? How does it |
12 |
look like? It's hard for me to image what to restrict without dramatically |
13 |
cut down the usefullness of the program. And how to deal with spontaneous |
14 |
exceptions to the rules (like limiting to ports 80 and 443 and then wanting |
15 |
to contact port 8080). |