Not logged in
Log in now
Create an account
Subscribe to LWN
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
GNU virtual private Ethernet
For example, Linux containers with PID and network namespaces are a superior alternative to gresecurity 'anti-chroot-jailbreak' features and simple restriction of netstat to root user.
Though I agree, the kernel needs one coherent set of hook points that can be used to implement different kinds of security (MAC, RBAC).
Yama: not so fast
Posted Aug 5, 2010 21:45 UTC (Thu) by spender (subscriber, #23067)
Posted Aug 5, 2010 22:09 UTC (Thu) by Cyberax (✭ supporter ✭, #52523)
My systems run a fair amount of legacy code, but I was able to migrate all of it to LXC. It's even feasible to isolate it even further using Xen/KVM now, because hardware is so damn cheap. So adding protections to 'chroot' just isn't worth it, IMO. Actually, it should be possible to reimplement chroot on top of containers.
Some features of grsecurity would better be generalized. For example, IP address tracking should be generalized to other types of metadata (what if I use IP-less protocols?).
Personally, I'd like to see some of features of grsecurity in the mainline kernel. Though I don't really care about a lot of other features...
Posted Aug 6, 2010 11:56 UTC (Fri) by nix (subscriber, #2304)
So even when we provide patches to allow existing mechanisms to be used in pervasive things like glibc *and prove that they are useful*, they are still rejected. *sigh*
(That was the last time I was tempted to contribute to glibc at all. Life is too short to work with maintainers with attitudes like that. The stack-protection patch still works, if anyone wants a version against eglibc head.)
Posted Aug 9, 2010 21:09 UTC (Mon) by ilmari (subscriber, #14175)
Posted Aug 10, 2010 5:58 UTC (Tue) by rahulsundaram (subscriber, #21946)
Posted Aug 11, 2010 23:46 UTC (Wed) by nix (subscriber, #2304)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds