1 |
On Thu, May 17, 2012 at 3:04 PM, Anthony G. Basile |
2 |
<basile@××××××××××××××.edu> wrote: |
3 |
> Liberte, last I looked, has quite a few hardening features off. |
4 |
|
5 |
True — this is made necessary by having to support virtualized |
6 |
environments (and, of course, Xorg, wrt. GRKERNSEC_IO). Since out last |
7 |
discussion on the subject, I have “discovered” the |
8 |
GRKERNSEC_HARDENED_VIRTUALIZATION profile, which fits quite well the |
9 |
settings that were carefully selected previously. |
10 |
|
11 |
By the way, Liberté also mounts /dev with noexec, and I received no |
12 |
complaints so far (see bug #92921). I also grepped the driver sources |
13 |
before making the change, and didn't find any attempts to map /dev/mem |
14 |
with PROT_EXEC. No idea if the noexec issue is still present with |
15 |
proprietary drivers, though. |
16 |
|
17 |
-- |
18 |
Maxim Kammerer |
19 |
Liberté Linux (discussion / support: http://dee.su/liberte-contribute) |