Hi infernus! Saturday 06, at 05:05:24 PM you wrote:
> Well, there are many benefits. First, there is the stack protection (which is > already included in the Trustix kernel, I know..), but most useful are the > randomization options. Randomized source ports, IP-IDs (not entirely > necessary seeing how Linux defaults to all zeroes, yet still good), PIDs, > larger entropy pools, etc.. Of course, there is also TPE (Trusted Path > Execution), and my favorite, the option to deny all sockets to a specific > group (or all but one group) of users. It's a great patch. Only problem is, > Spender's still stuck on 2.6.14.6. If he updates pretty soon, I will probably > deviate from the TSL default kernel unless a new kernel is included with the > grsec patch. Many of this "great" or "exclusive" grsec options use non-kernel internal library. So grsec kernel it is not stock vanilla kernel nor linux kernel itself ;) And PaX patch also have disadvantages - for example, ocaml doesn't build with it. Exec-shield from Ingo Molnar do this job (non-executable stack) with less code and work on x86_64 platform (PaX have preliminary x86_64 support). Random addresses in va-space already implemented in 2.6 kernel, so it's not grsec feature. And again, all this pretty limits can be implemented in vserver/OpenVZ (I hear some folks preparing vs for 2.6/2.7 inclusion) in "right" way using standard kernel capabilities system. After that, I'm think a little abot grsec inclusion to TSL. Just my IMHO opinion ;) -- WBR et al.
signature.asc
Description: Digital signature
_______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
