1 |
> Hmm, I was thinking, that it is not possible for standard kernel to |
2 |
> disable network access for particular application... |
3 |
> How to do that? |
4 |
It's by user-id, but check out 'iptables -m owner'. Even in |
5 |
hardened-sources, the only additional network control you get is the |
6 |
ability to control which users can make outbound or accept inbound |
7 |
connections. |
8 |
|
9 |
> And how about PaX? Is it really so unlikely to be necessary on PC or |
10 |
> laptop for personal use? |
11 |
Not unlikely, but it presumes a compromised local account - definitely |
12 |
a good position to start from, but some of it's controls may interfere |
13 |
with the operation of virtual machines. |
14 |
|
15 |
In the end, it is up to you to decide how much security is enough. I |
16 |
don't think the hardened kernels available will measurably improve |
17 |
your security given how you intend to use the system, but that's my |
18 |
opinion and I don't know what your specific needs are. What you ask |
19 |
should be doable with a little work. |
20 |
-- |
21 |
gentoo-hardened@g.o mailing list |