1 |
On Sat, 2009-09-19 at 22:25 +0200, Marco Venutti wrote: |
2 |
|
3 |
|
4 |
> --[cut]-- |
5 |
> You forgot to mention SSP (stack-smashing protection). |
6 |
> --[cut]-- |
7 |
> |
8 |
> I didn't forget it, but I'd like to primarily focus on |
9 |
> RSBAC and GR-Sec. |
10 |
|
11 |
I think thats wrong focus. What makes grsecurity (and gentoo hardened) |
12 |
interesting is PaX, not the RSBAC. Same is to be said about the |
13 |
corresponding functionallity in OpenBSD. |
14 |
|
15 |
Vanilla kernel (and SElinux etc) don't have PaX. |
16 |
|
17 |
I can recommend you to read up on what PaX does for you. Basicly, PaX |
18 |
prevent you to exploit vulnerabilities. selinux will only limit what |
19 |
your successful exploit is allowed to do. |
20 |
|
21 |
My biggest worries when it comes to PaX (for the moment) is that you |
22 |
cannot run paravirtualization with PaX. |
23 |
|
24 |
-nc |