On Monday, June 20, 2016 at 6:59:48 PM UTC-4, [email protected] wrote: > On Monday, June 20, 2016 at 6:44:59 PM UTC-4, jkitt wrote: > > I couldn't agree more - just because you live in a safe neighborhood it > > doesn't mean you go out and leave your door unlocked. Every mitigation is > > useful. > > > > However, with grsecurity there's a great deal of performance overhead, some > > things like X really don't like grsecurity, and with a semi-stateless > > system there's not a great need for such mitigations. Also, I've heard that > > there's some things that just can't work under a virtualized environment - > > not sure what yet. However, a compromised system can still be used to > > attack other systems. I've noticed that by default Qubes domains don't > > block connections to the local LAN - which is an attack vector from default > > configured domains; not to mention the compromise of any data in that > > domain. > > > > I'd like to see something like subgraph or a gentoo hardened GRS template. > > > > On Monday, 20 June 2016 23:17:01 UTC+1, [email protected] wrote:Also why > > does Qubes not ship with Gresecurity by default I know that privilege > > escalation protections would be meaningless according to raah,but > > Gresecurity also add other security features > > https://grsecurity.net/features.php > > I know Qubes is quite reasonably secured with its isolation and xen > > architecture,but I like adding precaution such as extra security in case of > > an attacker somehow bypasses the isolation or find an exploit or flaw in > > the xen architecture > > if you manage to get a patched nvidia driver installed, with patches > available from pax team(which sometimes don't work). You can even game with > grsecurity with full security on (usually only disabling memprotect for > certain programs to run) and no performance loss noticeable. > > Some features, maybe the most beneficial ones, like Kernexec and UDEREF, are > not supported by xen. Here is a thread discussing some things related to > grsec and hypervisor host. > http://www.gossamer-threads.com/lists/gentoo/hardened/57609
You can probably compile kernel for templatevm. I think with the latest qubes release this is made easier, I haven't tried yet. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/add7981b-2c76-427b-b323-637fa32f8e9a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
