[arch-dev-public] providing grsecurity in [community]

Daniel Micay danielmicay at gmail.com
Sun Apr 20 06:09:28 EDT 2014


On 20/04/14 05:12 AM, Sébastien Luttringer wrote:
> On 19/04/2014 01:21, Connor Behan wrote:
>> On 18/04/14 04:09 AM, S?bastien Luttringer wrote:
>>> On 16/04/2014 06:09, Daniel Micay wrote:
>>>> I don't think it makes sense to bother with the
>>>> nvidia module because it would be a bit silly to mix it with grsecurity.
>>>>
>>> Why user with nvidia cards should be deprived of grsec security enhancement?
>> Because the use of closed-source kernel modules is inherently insecure
>> anyway.
>>
> We use closed-source components on our computer everyday (BIOS,
> firmwares) because we trust hardware provider like Nvidia.
> I wouldn't says that people who have Nvidia cards and run Nvidia drivers
> are in an "inherently insecure" situation.

That's true, I'm just not interested in maintaining it myself because I
think it's a bit silly regardless :). I have no problem at all with
someone maintaining a DKMS nvidia package or grsec-specific package to
have it work. It doesn't harm me in any way to have the choice available.

> (hide others users process)

This is actually one of the few grsecurity features that tricked
upstream. It's available as the `hidepid=2` mount option for /proc.
Sadly it breaks systemd to some extent due to the cgroup filesystem in
the kernel being inadequate (no namespacing support).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/arch-dev-public/attachments/20140420/504e2ee2/attachment.asc>


More information about the arch-dev-public mailing list