[arch-general] Yet another step toward Arch evil plan
Alexander Duscheleit
jinks at archlinux.us
Wed Jan 13 13:31:02 EST 2010
On Wed, 13 Jan 2010 14:38:45 +0100
Thomas Bächler <thomas at archlinux.org> wrote:
> Am 13.01.2010 14:31, schrieb James Rayner:
> >>> They provide ArchLinux 2009.08 in both 32 and 64 bit with
> >>> their own kernel with grsecurity (2.6.31.5-grs)
> >> How well does this integrate? Arch doesn't have any
> >> officially-endorsed grsecurity kernel. Does it require userspace
> >> modifications? Have they submitted their package to Arch so the
> >> devs can look at it and check for flaws?
> >
> > In general, kernel's don't need to integrate with anything, and no
> > changes whatsoever should be necessary in userspace. The exception
> > is when the kernel is too old to be compatible with our udev
> > version.
> >
[...]
>
> That isn't entirely the point. IIRC SELinux requires lots of support
> in userspace, this might be the same for grsecurity. I don't know for
> sure what needs modification though.
As far as skimming their (rather old) quick install guide can tell me,
grsec doesn't do much out of the box. If sysctl is enabled, *all*
options have to be enabled manually.
In normal unconfigured operation you probably only get some memory
address randomization and the same for network ports.
Some programs may not work with the memory protections and get killed
instantly. the 'chpax' utility (available in aur) can circumvent this.
For everything else you need the 'gradm' tool (also available in aur)
which manages policies, etc.
This seems to be the whole extent of required userspace support.
Greetings,
jinks
--
More information about the arch-general
mailing list