Re: [arch-dev-public] providing grsecurity in [community]
On 18/04/14 04:09 AM, S?bastien Luttringer wrote:
On 16/04/2014 06:09, Daniel Micay wrote:
I don't think it makes sense to bother with the nvidia module because it would be a bit silly to mix it with grsecurity.
Why user with nvidia cards should be deprived of grsec security enhancement? Because the use of closed-source kernel modules is inherently insecure anyway.
On 19/04/2014 01:21, Connor Behan wrote:
On 18/04/14 04:09 AM, S?bastien Luttringer wrote:
On 16/04/2014 06:09, Daniel Micay wrote:
I don't think it makes sense to bother with the nvidia module because it would be a bit silly to mix it with grsecurity.
Why user with nvidia cards should be deprived of grsec security enhancement? Because the use of closed-source kernel modules is inherently insecure anyway.
We use closed-source components on our computer everyday (BIOS, firmwares) because we trust hardware provider like Nvidia. I wouldn't says that people who have Nvidia cards and run Nvidia drivers are in an "inherently insecure" situation. There are features in grsec which can be useful even with an Nvidia module (hide others users process, restricted ipc, etc). -- Sébastien "Seblu" Luttringer https://seblu.net | Twitter: @seblu42 GPG: 0x2072D77A
On 20/04/14 05:12 AM, Sébastien Luttringer wrote:
On 19/04/2014 01:21, Connor Behan wrote:
On 18/04/14 04:09 AM, S?bastien Luttringer wrote:
On 16/04/2014 06:09, Daniel Micay wrote:
I don't think it makes sense to bother with the nvidia module because it would be a bit silly to mix it with grsecurity.
Why user with nvidia cards should be deprived of grsec security enhancement? Because the use of closed-source kernel modules is inherently insecure anyway.
We use closed-source components on our computer everyday (BIOS, firmwares) because we trust hardware provider like Nvidia. I wouldn't says that people who have Nvidia cards and run Nvidia drivers are in an "inherently insecure" situation.
That's true, I'm just not interested in maintaining it myself because I think it's a bit silly regardless :). I have no problem at all with someone maintaining a DKMS nvidia package or grsec-specific package to have it work. It doesn't harm me in any way to have the choice available.
(hide others users process)
This is actually one of the few grsecurity features that tricked upstream. It's available as the `hidepid=2` mount option for /proc. Sadly it breaks systemd to some extent due to the cgroup filesystem in the kernel being inadequate (no namespacing support).
On zo, 2014-04-20 at 11:12 +0200, Sébastien Luttringer wrote:
We use closed-source components on our computer everyday (BIOS, firmwares) because we trust hardware provider like Nvidia. I wouldn't says that people who have Nvidia cards and run Nvidia drivers are in an "inherently insecure" situation.
There are features in grsec which can be useful even with an Nvidia module (hide others users process, restricted ipc, etc).
The problem with Nvidia and grsecurity is that Nvidia doesn't test their drivers on grsecurity kernels. With grsecurity you alter the way the kernel works. If this alters the kernel in any way that the Nvidia binary driver doesn't expect, you'll end up with something that makes your system unstable. Supporting Nvidia on vanilla kernels is a challenge now and then because of the incompatible changes done in each version, but maintaining it for a grsecurity patched kernel is even harder.
participants (4)
-
Connor Behan
-
Daniel Micay
-
Jan de Groot
-
Sébastien Luttringer