grsecurity in kernel? [ doc and "PaX performance impact"]
Glenn
glenn.mh.dk at gmail.com
Thu Dec 30 00:24:51 CET 2010
At 23:38 +0100 29/12/10, Vinzenz Hersche wrote:
>Glenn, i like to try this for a kernel.. it should need just be a patched
>kernel (so need to recompile) and a loaded kernel or what do you think?
>i don't know so much about cross-compile, but i like to learn it.. if also
>someone else like to join the try or so, you're welcome :)
>
>Timo, you'r right about X.. that's a big hole.. how is it on qtmoko, because
>of no x-server?
>-----------------------------------------------
>Timo schrieb am Mittwoch 29 Dezember 2010:
...
More:
http://pax.grsecurity.net/docs/index.html
PaX performance impact:
http://www.pjvenda.net/linux/doc/pax-performance/
Quote: "...
Overall Conclusion
It is my opinion that PaX is a very good patchset, being an important
step towards improved operating system and therefore services'
security. The memory protection plays an important role but the
effectiveness of the patchset is maximized in conjunction with the
other mechanisms supplied. grsecurity includes PaX and presents a
very complete approach for improved linux security.
Some applications that were badly written, aggressively optimized or
derived from very old and thus crippled code may not work with this
kind of security patches. There is no hope for those applications
other than two solutions:
* Selectively disable PaX features with useland tool on misbehaving
binaries, thus lowering the security level (not possible on all
setups without some serious changes)
* Change or have someone change the application to run in protected
memory and randomized mapping environments
..."
More information about the community
mailing list