From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Fri 03 Jan 2003 - 16:54:02 GMT
On Fri, 3 Jan 2003, Georges Toth wrote:
> has anybody tried to apply these patches to a vanilla kernel:
> - vserver - xfs - grsecurity
Try it; do you get any rejects? There might be the odd place where the
patches apply but there is a conflict (eg, schedule/process management).
> are there any problems with applying the vserver+grsecurity patch ?
The best I can find for an introduction, says:
] You need an ACL system if you want to restrict access to files,
] capabilities, resources, or sockets to ALL users, including root.
]
] This is what is called a Mandatory Access Control (MAC) model. The other
] features of grsecurity are only effective at fending off attackers trying
] to gain root, so the ACL system is used to fill in this gap. Least
] privilege can be granted to processes, which in turn forces attackers to
] reevaluate their methods of attack, since gaining access to the root
] account no longer means that they have full access to the system. Access
] can be explicitly granted to processes that need it, in such a way that
] root acts as any other user.
]
] Though grsecurity and its ACL system are in no means perfect security,
] they greatly increase the difficulty of successfully compromising the
] system.
Let us know how you get on.
-Paul
-- Nottingham, GB