Announcement

Collapse
No announcement yet.

Kernel Lockdown: Tightening Up Linux Kernel Access From User-Space

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Seems good for the cloud, where a lot of people share the same machine.

    Comment


    • #12
      What is the use-case for this? What problem this is trying to solve? Who will benefit from this?

      Comment


      • #13
        Originally posted by ldo17 View Post
        No it isn’t. Better for what? Security is a means to an end, not an end in itself.
        This is self-evident. Are you in a position to answer my question?
        Which end? Is this only something for servers? Is it relevant for non-UEFI SecureBoot systems?


        Originally posted by ldo17 View Post
        Has your “experience” been impacted much by the coming of SELinux or AppArmor?
        I vividly remember not being able to configure email clients after SELinux. AppArmor was such a "smooth" user experience that I wonder whether it actually does something.
        But the key question is: Is this patchset intended for desktop systems? Please share your knowledge, there are other users with the same questions:
        Originally posted by andrei_me View Post
        What is the use-case for this? What problem this is trying to solve? Who will benefit from this?

        Comment


        • #14
          Originally posted by andrei_me View Post
          What is the use-case for this? What problem this is trying to solve? Who will benefit from this?
          Same as most other hardening systems like SELinux or AppArmor: servers or embedded devices where the developers/sysadmins know full well what programs will run in there, and are an actual target.

          Comment


          • #15
            Originally posted by lowflyer View Post
            Which end? Is this only something for servers?
            You can enable this whenever you are sure the programs won't break horribly if you turn this on, so I'm strongly suspecting desktops are out of the equation. Hell it's a PITA to get even Grsecurity to work decently with Desktop applications like say web browsers or something.
            Is it relevant for non-UEFI SecureBoot systems?
            It's weakened and would require additional measures, as such systems can't check the signature of kernel on boot, so a malicious attacker could just go and replace the kernel, then reboot.
            Of course it's not that hard to twart that (like by keeping the /boot with kernel and all on a read-only media (I mean hardware read-only, with a flip switch or something, there are some USB keys that offer that hardware switch).

            I vividly remember not being able to configure email clients after SELinux. AppArmor was such a "smooth" user experience that I wonder whether it actually does something.
            It comes down to how they are configured, if your distro has half-decent profiles you can install them and have a smooth user experience (hoping the profiles are good enough). If your distro has no profiles, you must set them up manually for each application.
            AFAIK AppArmor gets more love from distro mantainers in Debian/Ubuntu, OpenSUSE, while SELinux is favoured by the other camp (RHEL and derivatives).

            Comment


            • #16
              blocked post above (there should be a total of 2 posts).... halp!

              Comment

              Working...
              X