[grsec] grsec patch for 2.6.15?
Jan Krueger
jast at heapsort.de
Mon Jan 9 16:33:20 EST 2006
Hi,
> This attitude toward kernel security is very curious; if your assertion is
> true than surely 2.6 is needing pax more than anything.
even great tools like PaX and Grsecurity/RBAC are of little help if the
kernel has its own security weaknesses. For example, suppose an obscure
kernel bug is discovered that allows local users to execute arbitrary code
in kernel space when, say, they do something weird with a certain /proc file
(bear with me if this example sounds stupid... I know virtually nothing
about the kernel code). As soon as an attacker gets to run code in kernel
space, they can do whatever they damn well please (even if they have to
patch the image of other processes, but usually there's an easier way).
I imagine adapting Grsecurity to a new release of the kernel is quite a task
these days. If good integration of Grsecurity with the kernel is improved by
skipping the odd release, I won't object.
Best regards
Jan
More information about the grsecurity
mailing list