I couldn't agree more - just because you live in a safe neighborhood it 
doesn't mean you go out and leave your door unlocked. Every mitigation is 
useful.

However, with grsecurity there's a great deal of performance overhead, some 
things like X really don't like grsecurity, and with a semi-stateless 
system there's not a great need for such mitigations. Also, I've heard that 
there's some things that just can't work under a virtualized environment - 
not sure what yet. However, a compromised system can still be used to 
attack other systems. I've noticed that by default Qubes domains don't 
block connections to the local LAN - which is an attack vector from default 
configured domains; not to mention the compromise of any data in that 
domain.

I'd like to see something like subgraph or a gentoo hardened GRS template.

On Monday, 20 June 2016 23:17:01 UTC+1, [email protected] wrote:
>
> Also why does Qubes not ship with Gresecurity by default I know that 
>  privilege escalation protections would be meaningless according to 
> raah,but Gresecurity also add other security features 
> https://grsecurity.net/features.php 
> <https://www.google.com/url?q=https%3A%2F%2Fgrsecurity.net%2Ffeatures.php&sa=D&sntz=1&usg=AFQjCNHbaTFVwomPZbqHw6yZZ4b2xi--fw>
>  
>
> I know Qubes is quite reasonably secured with its isolation and xen 
> architecture,but I like adding precaution such as extra security in case of 
>  an attacker somehow bypasses the isolation or find an exploit or flaw in 
> the xen architecture 
>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a2f904ba-f43d-467d-a604-e76b463b4464%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to