Gentoo Archives: gentoo-hardened

From: Natanael Copa <natanael.copa@×××××.com>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening?
Date: Mon, 21 Sep 2009 12:01:43
Message-Id: 1253534616.29840.29.camel@ncopa-desktop.nor.wtbts.net
In Reply to: Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? by Marco Venutti
1 On Sat, 2009-09-19 at 22:25 +0200, Marco Venutti wrote:
2
3
4 > --[cut]--
5 > You forgot to mention SSP (stack-smashing protection).
6 > --[cut]--
7 >
8 > I didn't forget it, but I'd like to primarily focus on
9 > RSBAC and GR-Sec.
10
11 I think thats wrong focus. What makes grsecurity (and gentoo hardened)
12 interesting is PaX, not the RSBAC. Same is to be said about the
13 corresponding functionallity in OpenBSD.
14
15 Vanilla kernel (and SElinux etc) don't have PaX.
16
17 I can recommend you to read up on what PaX does for you. Basicly, PaX
18 prevent you to exploit vulnerabilities. selinux will only limit what
19 your successful exploit is allowed to do.
20
21 My biggest worries when it comes to PaX (for the moment) is that you
22 cannot run paravirtualization with PaX.
23
24 -nc

Replies

Subject Author
Re: [gentoo-hardened] "How hard" is Linux kernel-side hardening? Marco Venutti <veeenrg@×××××.com>