On 04/28/2012 02:09 AM, Fabio Erculiani wrote:
Hi,
After having successfully deployed hardened GCC and hardened userspace
pkgs (base system + suid/sgid root bins for now) I think it's time to
consider to adopt the gentoo-hardened patchset for the Linux Kernel.
In particular, I would like to incorporate them into
sys-kernel/linux-sabayon and sys-kernel/linux-server (and, indirectly
for linux-beagle and linux-panda) ebuilds.
These kernels are our default kernels
Can anybody comment on this? Mitch? blueness? Everybody else is welcome as well.
Cheers,
I don't know how you guys do your kernel. I assume you don't leave the
configuration up to the user. Since the hardened kernel is configurable
on a spectrum from vanilla to very high security, you'll be able to find
a happy medium. Start with the predefined grsec WORKSTATION setting and
see what if anything breaks. I suspect PaX will be your biggest issue,
but you really want to try to preserve it. If you pass bugs my way I
can probably point out what's going on.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : [email protected]
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
