Gentoo Archives: gentoo-hardened

From: RB <aoz.syn@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Mon, 21 Sep 2009 15:46:18
Message-Id: 4255c2570909210846p2530b3cawb163f6105982a24c@mail.gmail.com
In Reply to: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? by Marco Venutti
On Mon, Sep 21, 2009 at 09:10, Marco Venutti <veeenrg@×××××.com> wrote:
> I see the GR-Security, provided in Hardened Gentoo, > is not the bare patch, but an "itself-patched" version, > so I'm wondering if these improvements become > part of the (following releases of the) official patch,
The Gentoo patches for the hardened kernel are largely cosmetic, changing configure-time portions to fit the Gentoo world-view. For the 2.6.29 kernel, they: - Remove 'grsec' from the kernel's version text - Reduce the compile-time warnings produced by grsecurity - Allow PaX to be enabled without enabling grsecurity - Set different (Gentoo-appropriate) default GIDs for the logging & restriction portions - Add Gentoo's profiles (server, workstation, etc.) for grsecuriity - Add the source IP to SELinux AVC messages (the only functional change) - Completely remove the ability to enable COMPAT_VDSO
> or not; I'm asking this just because, if improvements > are not included in the official patch, maybe it's better, > for me, to use the gentoo-hardened-kernel-source, > not-so-up-to-date, but improved!
Gentoo's hardened-sources is probably the way you want to go, regardless. It incorporates the latest version of grsecurity for the given kernel version, and despite of being "behind" the kernel curve, it's highly stable.