On Monday, June 20, 2016 at 6:59:48 PM UTC-4, [email protected] wrote:
> On Monday, June 20, 2016 at 6:44:59 PM UTC-4, jkitt wrote:
> > I couldn't agree more - just because you live in a safe neighborhood it 
> > doesn't mean you go out and leave your door unlocked. Every mitigation is 
> > useful.
> > 
> > However, with grsecurity there's a great deal of performance overhead, some 
> > things like X really don't like grsecurity, and with a semi-stateless 
> > system there's not a great need for such mitigations. Also, I've heard that 
> > there's some things that just can't work under a virtualized environment - 
> > not sure what yet. However, a compromised system can still be used to 
> > attack other systems. I've noticed that by default Qubes domains don't 
> > block connections to the local LAN - which is an attack vector from default 
> > configured domains; not to mention the compromise of any data in that 
> > domain.
> > 
> > I'd like to see something like subgraph or a gentoo hardened GRS template.
> > 
> > On Monday, 20 June 2016 23:17:01 UTC+1, [email protected]  wrote:Also why 
> > does Qubes not ship with Gresecurity by default I know that  privilege 
> > escalation protections would be meaningless according to raah,but 
> > Gresecurity also add other security features 
> > https://grsecurity.net/features.php 
> > I know Qubes is quite reasonably secured with its isolation and xen 
> > architecture,but I like adding precaution such as extra security in case of 
> >  an attacker somehow bypasses the isolation or find an exploit or flaw in 
> > the xen architecture
> 
> if you manage to get a patched nvidia driver installed, with patches 
> available from pax team(which sometimes don't work).  You can even game with 
> grsecurity with full security on (usually only disabling memprotect for 
> certain programs to run) and no performance loss noticeable.
> 
> Some features, maybe the most beneficial ones, like Kernexec and UDEREF, are 
> not supported by xen.    Here is a thread discussing some things related to 
> grsec and hypervisor host.   
> http://www.gossamer-threads.com/lists/gentoo/hardened/57609

You can probably compile kernel for templatevm.  I think with the latest qubes 
release this is made easier, I haven't tried yet.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/add7981b-2c76-427b-b323-637fa32f8e9a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to