[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    Re: [gentoo-hardened] Re: grsec/pax with xen
From:       pageexec () freemail ! hu
Date:       2007-12-08 18:13:16
Message-ID: 475AFADC.27041.EEDD667 () pageexec ! freemail ! hu
[Download RAW message or body]

On 8 Dec 2007 at 12:33, timpoluk@gmx.net wrote:
> > on the host side, i think pretty much all of grsec/PaX will work fine
> > except for KERNEXEC (and even that is not unfixable either, but it needs
> > a patch in the hypervisor code itself, not PaX).
> 
> Unfortunately I am not able to do such coding :-/ If you talk about
> KERNEXEC I guess the kernel option  CONFIG_GRKERNSEC_KMEM has to be
> disabled. Could I use RBAC to get back anything of the lost protection?

KERNEXEC is a PaX feature, independent of grsec's kmem protection.
and no, the kmem protection has nothing to do with virtualization
as everyone has kernel modules to manage host side memory.

> If I want to try XEN what's the preferred way to implement it? Downloading
> a kernel patched with XEN and then patching with grsecurity or reverse?

grsec doesn't support xen's dom0 yet (only when it'll enter mainline),
domU may already work with the latest 2.6.23+ kernels (at least i tried
to make it compatible with PaX), but i have yet to test it myself. in
other words, you can't use grsec on a xen host yet, only in a guest.

-- 
gentoo-hardened@gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]