[grsec] grsec patch for 2.6.15?
Dan Hollis
reg5423374856 at anime.net
Mon Jan 9 17:03:07 EST 2006
On Mon, 9 Jan 2006, Jan Krueger wrote:
>> This attitude toward kernel security is very curious; if your assertion is
>> true than surely 2.6 is needing pax more than anything.
> even great tools like PaX and Grsecurity/RBAC are of little help if the
> kernel has its own security weaknesses. For example, suppose an obscure
> kernel bug is discovered that allows local users to execute arbitrary code
> in kernel space when, say, they do something weird with a certain /proc file
> (bear with me if this example sounds stupid... I know virtually nothing
> about the kernel code). As soon as an attacker gets to run code in kernel
> space, they can do whatever they damn well please (even if they have to
> patch the image of other processes, but usually there's an easier way).
the whole _point_ of grsecurity is to prevent the scenario above. In fact
pax does this quite well in most cases (all cases actually, that I have
tested so far).
-Dan
More information about the grsecurity
mailing list