Gentoo Archives: gentoo-hardened

From: Natanael Copa <natanael.copa@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Mon, 21 Sep 2009 12:01:43
Message-Id: 1253534616.29840.29.camel@ncopa-desktop.nor.wtbts.net
In Reply to: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? by Marco Venutti
On Sat, 2009-09-19 at 22:25 +0200, Marco Venutti wrote:


> --[cut]-- > You forgot to mention SSP (stack-smashing protection). > --[cut]-- > > I didn't forget it, but I'd like to primarily focus on > RSBAC and GR-Sec.
I think thats wrong focus. What makes grsecurity (and gentoo hardened) interesting is PaX, not the RSBAC. Same is to be said about the corresponding functionallity in OpenBSD. Vanilla kernel (and SElinux etc) don't have PaX. I can recommend you to read up on what PaX does for you. Basicly, PaX prevent you to exploit vulnerabilities. selinux will only limit what your successful exploit is allowed to do. My biggest worries when it comes to PaX (for the moment) is that you cannot run paravirtualization with PaX. -nc

Replies

Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Marco Venutti <veeenrg@×××××.com>