| 1 |
Yiannis wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> I am running hardened gentoo with the toolchain provided by the |
| 5 |
> xake-toolchain overlay. I am looking for a way to use virtualization |
| 6 |
> with my current config. I am aware of linux-vserver project which has |
| 7 |
> grsecurity integration, but as far as I remember does not play well |
| 8 |
> with rbac. Anyone that has a similar working config? |
| 9 |
> |
| 10 |
|
| 11 |
I use hardened host (2.6.29) with vserver. Under this I run hardened |
| 12 |
guests. All of these are old style hardened (gcc 3.4.6, not the new |
| 13 |
gcc4 stuff. (As an aside, even uclibc+patches now seems to work ok on |
| 14 |
gcc4.4.1 + hardened, so I think it's about time we had a push to try and |
| 15 |
get the hardened profile to shuffle along a bit...) |
| 16 |
|
| 17 |
I am not currently using the RBAC features of grsec, but I don't |
| 18 |
immediately see a reason why they wouldn't work.... I guess it's |
| 19 |
possible they would need to be implemented in the host rather than the |
| 20 |
guest (which would feel a bit wierd), but it should still work I guess... |
| 21 |
|
| 22 |
All other hardenings seem to work as advertised and generally speaking |
| 23 |
vserver is a nice lightweight, pseudo virtualisation which is often good |
| 24 |
enough for your needs... It's really just a slightly more fancy chroot |
| 25 |
system with some scripts around it and some additional hardening (and |
| 26 |
all the associated limitations). Xen, etc are the way you want to go if |
| 27 |
you need full isolation. However, vserver allows you to more neatly |
| 28 |
overcommit machine resources and has a number of other advantages |
| 29 |
|
| 30 |
Good luck |
| 31 |
|
| 32 |
Ed W |
Archives