Gentoo Archives: gentoo-user

From: Kerin Millar <kerframil@×××××××××××.uk>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] which VM do you recommend?
Date: Tue, 30 Jul 2013 12:54:17
Message-Id: 51F7B76B.90504@fastmail.co.uk
In Reply to: Re: [gentoo-user] which VM do you recommend? by Tanstaafl
1 On 30/07/2013 11:36, Tanstaafl wrote:
2 > On 2013-07-30 4:11 AM, Randolph Maaßen <r.maassen60@×××××.com> wrote:
3 >> It needs a couple of kernel modules to work, but emerge will promt to
4 >> you what it needs.
5 >
6 > Side question...
7 >
8 > I want to run the vmware tools on my gentoo VM (so the host can safely
9 > power it down), but it also requires modules.
10 >
11 > For security reasons I have never enabled modules on my servers, but...
12
13 It doesn't enhance security unless additional measures are taken (see
14 below).
15
16 >
17 > Is there a way to do this securely, so that *only* the necessary modules
18 > could ever be loaded?
19
20 You can use gsecurity (which is in hardened-sources). With
21 CONFIG_GRKERNSEC_MODSTOP enabled, you will be able to run:
22
23 # echo 1 > /proc/sys/kernel/grsecurity/disable_modules
24
25 After that, no further modules can be loaded. However, you would also
26 need to disable privileged I/O and the ability to write to /dev/kmem,
27 both of which grsecurity also facilitates.
28
29 --Kerin