| 1 |
On 8 Dec 2007 at 12:33, timpoluk@×××.net wrote: |
| 2 |
> > on the host side, i think pretty much all of grsec/PaX will work fine |
| 3 |
> > except for KERNEXEC (and even that is not unfixable either, but it needs |
| 4 |
> > a patch in the hypervisor code itself, not PaX). |
| 5 |
> |
| 6 |
> Unfortunately I am not able to do such coding :-/ If you talk about |
| 7 |
> KERNEXEC I guess the kernel option CONFIG_GRKERNSEC_KMEM has to be |
| 8 |
> disabled. Could I use RBAC to get back anything of the lost protection? |
| 9 |
|
| 10 |
KERNEXEC is a PaX feature, independent of grsec's kmem protection. |
| 11 |
and no, the kmem protection has nothing to do with virtualization |
| 12 |
as everyone has kernel modules to manage host side memory. |
| 13 |
|
| 14 |
> If I want to try XEN what's the preferred way to implement it? Downloading |
| 15 |
> a kernel patched with XEN and then patching with grsecurity or reverse? |
| 16 |
|
| 17 |
grsec doesn't support xen's dom0 yet (only when it'll enter mainline), |
| 18 |
domU may already work with the latest 2.6.23+ kernels (at least i tried |
| 19 |
to make it compatible with PaX), but i have yet to test it myself. in |
| 20 |
other words, you can't use grsec on a xen host yet, only in a guest. |
| 21 |
|
| 22 |
-- |
| 23 |
gentoo-hardened@g.o mailing list |
Archives