1 |
Am 25.01.2011 13:26, schrieb Anthony G. Basile: |
2 |
> Hi hardened users, |
3 |
> |
4 |
> Currently, when configuring the hardened kernel, the user is presented |
5 |
> with some predefined Security Levels. (Security options -> Grsecuirty |
6 |
> -> Security Level). Four of these are set by Gentoo |
7 |
> |
8 |
> Hardened Gentoo [server] |
9 |
> Hardened Gentoo [server no rbac] |
10 |
> Hardened Gentoo [workstation] |
11 |
> Hardened Gentoo [workstation no rbac] |
12 |
> |
13 |
> These are defined so as to maximize security while minimizing breakage |
14 |
> with Gentoo software. I'm proposing to change this to |
15 |
> |
16 |
> Hardened Gentoo [server] |
17 |
> Hardened Gentoo [workstation or virtualization host] |
18 |
> |
19 |
> One change will be to remove the "no rbac" option which is easily turned |
20 |
> on/off at Security options -> Grsecuirty -> Role Based Access Control |
21 |
> Options -> Disable RBAC system. The default will be on (ie do not |
22 |
> disable rbac). Even if the users doesn't want to use RBAC and still |
23 |
> enables it, there is no harm done since RBAC simply be available but not |
24 |
> used unless turned on by gradm. |
25 |
> |
26 |
> The other change will be to add a "virtualization host" option. |
27 |
> Currently these settings are identical to the workstation and so are |
28 |
> coalesced, but may change. I am trying to make the hardened kernel |
29 |
> compatible with VirtualBox and kvm, but there are some security settings |
30 |
> which will most likely *always* break virtualization and will need to be |
31 |
> turned off. |
32 |
> |
33 |
> This is work in progress and testing is appreciated. The ebuilds are on |
34 |
> my overlay. |
35 |
> |
36 |
> |
37 |
|
38 |
My suggestion, as talked about in IRC: |
39 |
|
40 |
server profile with UDEREF and KERNEXEC forced on |
41 |
workstation profile with UDEREF and KERNEXEC default enabled |
42 |
virtualization profile with UDEREF and KERNEXEC default disabled |
43 |
|
44 |
While virtualbox and kvm currently have issues with both options, this may change in the future. To |
45 |
be able to easily test it, those options should not be forced off, but default disabled. |
46 |
|
47 |
Since most other apps for workstations should work with both options, they should be default |
48 |
enabled. Since there might be some special issue with some specific desktop app, it should be able |
49 |
to disable those options, so not forced on for them. |
50 |
|
51 |
-- |
52 |
Thomas Sachau |
53 |
|
54 |
Gentoo Linux Developer |