I couldn't agree more - just because you live in a safe neighborhood it doesn't mean you go out and leave your door unlocked. Every mitigation is useful.
However, with grsecurity there's a great deal of performance overhead, some things like X really don't like grsecurity, and with a semi-stateless system there's not a great need for such mitigations. Also, I've heard that there's some things that just can't work under a virtualized environment - not sure what yet. However, a compromised system can still be used to attack other systems. I've noticed that by default Qubes domains don't block connections to the local LAN - which is an attack vector from default configured domains; not to mention the compromise of any data in that domain. I'd like to see something like subgraph or a gentoo hardened GRS template. On Monday, 20 June 2016 23:17:01 UTC+1, [email protected] wrote: > > Also why does Qubes not ship with Gresecurity by default I know that > privilege escalation protections would be meaningless according to > raah,but Gresecurity also add other security features > https://grsecurity.net/features.php > <https://www.google.com/url?q=https%3A%2F%2Fgrsecurity.net%2Ffeatures.php&sa=D&sntz=1&usg=AFQjCNHbaTFVwomPZbqHw6yZZ4b2xi--fw> > > > I know Qubes is quite reasonably secured with its isolation and xen > architecture,but I like adding precaution such as extra security in case of > an attacker somehow bypasses the isolation or find an exploit or flaw in > the xen architecture > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a2f904ba-f43d-467d-a604-e76b463b4464%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
