Well, there are many benefits. First, there is the stack protection (which is already included in the Trustix kernel, I know..), but most useful are the randomization options. Randomized source ports, IP-IDs (not entirely necessary seeing how Linux defaults to all zeroes, yet still good), PIDs, larger entropy pools, etc.. Of course, there is also TPE (Trusted Path Execution), and my favorite, the option to deny all sockets to a specific group (or all but one group) of users. It's a great patch. Only problem is, Spender's still stuck on 2.6.14.6. If he updates pretty soon, I will probably deviate from the TSL default kernel unless a new kernel is included with the grsec patch.
On Sun, May 07, 2006 at 12:25:05AM +0400, Konstantin A. Lepikhov wrote:
> so what benefits of it? AFAIR grsecurity is very bloat and have many
> controversial points in code. Simple exec-shield w/ vserver and altsec
> from ALTLinux do better job on kernel side. Of course, LIDS/RSBAC (as
> grsec suggest) is cool but implementation of it is very hard job.
>
> --
> WBR et al.
--
infernus
echo "jogfsovtA{jggfs/psh" | perl -pe 's/(.)/chr(ord($1)-1)/ge'
pgpsaS7Se56QR.pgp
Description: PGP signature
_______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
