| 1 |
> Hmm, I was thinking, that it is not possible for standard kernel to |
| 2 |
> disable network access for particular application... |
| 3 |
> How to do that? |
| 4 |
It's by user-id, but check out 'iptables -m owner'. Even in |
| 5 |
hardened-sources, the only additional network control you get is the |
| 6 |
ability to control which users can make outbound or accept inbound |
| 7 |
connections. |
| 8 |
|
| 9 |
> And how about PaX? Is it really so unlikely to be necessary on PC or |
| 10 |
> laptop for personal use? |
| 11 |
Not unlikely, but it presumes a compromised local account - definitely |
| 12 |
a good position to start from, but some of it's controls may interfere |
| 13 |
with the operation of virtual machines. |
| 14 |
|
| 15 |
In the end, it is up to you to decide how much security is enough. I |
| 16 |
don't think the hardened kernels available will measurably improve |
| 17 |
your security given how you intend to use the system, but that's my |
| 18 |
opinion and I don't know what your specific needs are. What you ask |
| 19 |
should be doable with a little work. |
| 20 |
-- |
| 21 |
gentoo-hardened@g.o mailing list |
Archives