advantages systrace might have over grsecurity

Posted Dec 18, 2002 6:55 UTC (Wed) by pjm (guest, #2080)
In reply to: Systrace - Interactive Policy Generation for System Calls by job
Parent article: Systrace - Interactive Policy Generation for System Calls

Caveat: I haven't looked at either grsecurity or systrace.

From what I can tell from the Debian package list, grsecurity is a patch to version 2.4 of the Linux kernel, and conflicts with the LSM patch.

If this is correct, then one advantage of systrace should be portability: it should work with any version of the Linux kernel (with or without LSM) or indeed almost any other Un*x. I imagine that systrace can be installed by non-root users, without rebooting the machine. Kernel modifications are also more dangerous than user-space solutions (e.g. less memory protection, easier to affect things you didn't intend to; harder to be sure that it's "correct").

It's very believable that grsecurity users needn't bother with systrace, but systrace's approach does appear to offer advantages to some users.