On Monday, June 20, 2016 at 6:44:59 PM UTC-4, jkitt wrote: > I couldn't agree more - just because you live in a safe neighborhood it > doesn't mean you go out and leave your door unlocked. Every mitigation is > useful. > > However, with grsecurity there's a great deal of performance overhead, some > things like X really don't like grsecurity, and with a semi-stateless system > there's not a great need for such mitigations. Also, I've heard that there's > some things that just can't work under a virtualized environment - not sure > what yet. However, a compromised system can still be used to attack other > systems. I've noticed that by default Qubes domains don't block connections > to the local LAN - which is an attack vector from default configured domains; > not to mention the compromise of any data in that domain. > > I'd like to see something like subgraph or a gentoo hardened GRS template. > > On Monday, 20 June 2016 23:17:01 UTC+1, xopl...@gmail.com wrote:Also why > does Qubes not ship with Gresecurity by default I know that privilege > escalation protections would be meaningless according to raah,but Gresecurity > also add other security features https://grsecurity.net/features.php > I know Qubes is quite reasonably secured with its isolation and xen > architecture,but I like adding precaution such as extra security in case of > an attacker somehow bypasses the isolation or find an exploit or flaw in the > xen architecture
if you manage to get a patched nvidia driver installed, with patches available from pax team(which sometimes don't work). You can even game with grsecurity with full security on (usually only disabling memprotect for certain programs to run) and no performance loss noticeable. Some features, maybe the most beneficial ones, like Kernexec and UDEREF, are not supported by xen. Here is a thread discussing some things related to grsec and hypervisor host. http://www.gossamer-threads.com/lists/gentoo/hardened/57609 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c4b4c6d0-7b02-4b93-988a-2113a54a5590%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.