Announcement

Collapse
No announcement yet.

Kernel Lockdown: Tightening Up Linux Kernel Access From User-Space

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • starshipeleven
    replied
    blocked post above (there should be a total of 2 posts).... halp!

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by lowflyer View Post
    Which end? Is this only something for servers?
    You can enable this whenever you are sure the programs won't break horribly if you turn this on, so I'm strongly suspecting desktops are out of the equation. Hell it's a PITA to get even Grsecurity to work decently with Desktop applications like say web browsers or something.
    Is it relevant for non-UEFI SecureBoot systems?
    It's weakened and would require additional measures, as such systems can't check the signature of kernel on boot, so a malicious attacker could just go and replace the kernel, then reboot.
    Of course it's not that hard to twart that (like by keeping the /boot with kernel and all on a read-only media (I mean hardware read-only, with a flip switch or something, there are some USB keys that offer that hardware switch).

    I vividly remember not being able to configure email clients after SELinux. AppArmor was such a "smooth" user experience that I wonder whether it actually does something.
    It comes down to how they are configured, if your distro has half-decent profiles you can install them and have a smooth user experience (hoping the profiles are good enough). If your distro has no profiles, you must set them up manually for each application.
    AFAIK AppArmor gets more love from distro mantainers in Debian/Ubuntu, OpenSUSE, while SELinux is favoured by the other camp (RHEL and derivatives).

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by andrei_me View Post
    What is the use-case for this? What problem this is trying to solve? Who will benefit from this?
    Same as most other hardening systems like SELinux or AppArmor: servers or embedded devices where the developers/sysadmins know full well what programs will run in there, and are an actual target.

    Leave a comment:


  • lowflyer
    replied
    Originally posted by ldo17 View Post
    No it isn’t. Better for what? Security is a means to an end, not an end in itself.
    This is self-evident. Are you in a position to answer my question?
    Which end? Is this only something for servers? Is it relevant for non-UEFI SecureBoot systems?


    Originally posted by ldo17 View Post
    Has your “experience” been impacted much by the coming of SELinux or AppArmor?
    I vividly remember not being able to configure email clients after SELinux. AppArmor was such a "smooth" user experience that I wonder whether it actually does something.
    But the key question is: Is this patchset intended for desktop systems? Please share your knowledge, there are other users with the same questions:
    Originally posted by andrei_me View Post
    What is the use-case for this? What problem this is trying to solve? Who will benefit from this?

    Leave a comment:


  • andrei_me
    replied
    What is the use-case for this? What problem this is trying to solve? Who will benefit from this?

    Leave a comment:


  • brk0_0
    replied
    Seems good for the cloud, where a lot of people share the same machine.

    Leave a comment:


  • Vistaus
    replied
    Originally posted by smitty3268 View Post

    Because hacking servers is big business right now, and people are trying to stop that?
    But people already stopped that: the GRsec kernel team.

    Leave a comment:


  • ldo17
    replied
    Originally posted by lowflyer View Post
    More security is always better...
    No it isn’t. Better for what? Security is a means to an end, not an end in itself.

    Has anyone an idea how this would influence the desktop experience of a normal user?
    Has your “experience” been impacted much by the coming of SELinux or AppArmor?

    Leave a comment:


  • lowflyer
    replied
    More security is always better, but there's the other side too: Has anyone an idea how this would influence the desktop experience of a normal user? Ideally, there would be no difference, but seeing the depth of some (/dev/port, hibernation) of the changes makes me wonder.

    Leave a comment:


  • smitty3268
    replied
    Originally posted by AdamOne View Post
    Any reason stated *why* he is posting these patches?
    Because hacking servers is big business right now, and people are trying to stop that?

    Leave a comment:

Working...
X