1 |
On 8 Dec 2007 at 12:33, timpoluk@×××.net wrote: |
2 |
> > on the host side, i think pretty much all of grsec/PaX will work fine |
3 |
> > except for KERNEXEC (and even that is not unfixable either, but it needs |
4 |
> > a patch in the hypervisor code itself, not PaX). |
5 |
> |
6 |
> Unfortunately I am not able to do such coding :-/ If you talk about |
7 |
> KERNEXEC I guess the kernel option CONFIG_GRKERNSEC_KMEM has to be |
8 |
> disabled. Could I use RBAC to get back anything of the lost protection? |
9 |
|
10 |
KERNEXEC is a PaX feature, independent of grsec's kmem protection. |
11 |
and no, the kmem protection has nothing to do with virtualization |
12 |
as everyone has kernel modules to manage host side memory. |
13 |
|
14 |
> If I want to try XEN what's the preferred way to implement it? Downloading |
15 |
> a kernel patched with XEN and then patching with grsecurity or reverse? |
16 |
|
17 |
grsec doesn't support xen's dom0 yet (only when it'll enter mainline), |
18 |
domU may already work with the latest 2.6.23+ kernels (at least i tried |
19 |
to make it compatible with PaX), but i have yet to test it myself. in |
20 |
other words, you can't use grsec on a xen host yet, only in a guest. |
21 |
|
22 |
-- |
23 |
gentoo-hardened@g.o mailing list |