[arch-dev-public] providing grsecurity in [community]
danielmicay at gmail.com
Sun Apr 20 06:09:28 EDT 2014
On 20/04/14 05:12 AM, Sébastien Luttringer wrote:
> On 19/04/2014 01:21, Connor Behan wrote:
>> On 18/04/14 04:09 AM, S?bastien Luttringer wrote:
>>> On 16/04/2014 06:09, Daniel Micay wrote:
>>>> I don't think it makes sense to bother with the
>>>> nvidia module because it would be a bit silly to mix it with grsecurity.
>>> Why user with nvidia cards should be deprived of grsec security enhancement?
>> Because the use of closed-source kernel modules is inherently insecure
> We use closed-source components on our computer everyday (BIOS,
> firmwares) because we trust hardware provider like Nvidia.
> I wouldn't says that people who have Nvidia cards and run Nvidia drivers
> are in an "inherently insecure" situation.
That's true, I'm just not interested in maintaining it myself because I
think it's a bit silly regardless :). I have no problem at all with
someone maintaining a DKMS nvidia package or grsec-specific package to
have it work. It doesn't harm me in any way to have the choice available.
> (hide others users process)
This is actually one of the few grsecurity features that tricked
upstream. It's available as the `hidepid=2` mount option for /proc.
Sadly it breaks systemd to some extent due to the cgroup filesystem in
the kernel being inadequate (no namespacing support).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the arch-dev-public