On 18/04/14 05:34 AM, Sébastien Luttringer wrote:
On 18/04/14 04:09 AM, Sébastien Luttringer wrote:
On 16/04/2014 06:09, Daniel Micay wrote: I could build these myself when I push a new version, because there aren't many of them. When I will push a new version of Virtualbox, which currently provides modules for linux and linux-lts. I will have to build a third external
On 18/04/2014 10:44, Daniel Micay wrote: package for linux-grsec, like every modules maintainer.
There's no problem with simply not building a VirtualBox module for the linux-grsec kernel. You're not building one now, so there would be nothing gained or lost. Supporting out-of-tree modules wasn't something I planned on considering at all right away. Other modules without userspace components wouldn't present the same problems as VirtualBox, since they would be an entirely separate package.
I don't think it makes sense to bother with the nvidia module because it would be a bit silly to mix it with grsecurity.
Why user with nvidia cards should be deprived of grsec security enhancement?
It will work fine with Nouveau. The nvidia driver is a larger pile of code than the Linux kernel itself and no hardening can be applied to it. The grsecurity kernel randomization features are rendered useless since it has info leaks all over. It might have an impact on the RBAC policies, which would otherwise be able to assume that X will be running as non-root post 1.16. If someone is interested in building an nvidia module for a grsecurity kernel and fixing any RBAC issues then I won't object, but I'm not going to do it myself.