Re: Does OpenVZ have support for GrSecurity? [message #15081 is a reply to message #15053] |
Wed, 18 July 2007 07:42 |
dev
Messages: 1693 Registered: September 2005 Location: Moscow
|
Senior Member |
|
|
grsecurity does conflict much with openvz changes, so it requires some efforts to resolve/fix them. Also grsecurity patch looks to be poorly documented and thus it's hard to dig into it. If there is a volunteer we can give him a patch we already have for doing this job. Surely, it is not impossible, it is just what we have no resources for :/
Next, there are some concerns about security. RHEL5 kernel provides
execshield and randomization of address spaces. So the major feature is available out of the box. Many other features of grsecurity look like a fake security (just giving you a feeling of safeness), e.g. users which can't see other user processes in the /proc. It doesn't help security and a little bit experienced user can still easily find all the other PIDs in the system.
And the main question is why someone wants grsecurity? To protect users from each other? Then use dedicated VE for each of them (which is a much hardened chroot protection even compared to grsec) and be happy. If I miss something and you need some particular feature of grsec, then plz give me to know. We'll do our best to bring it.
[Updated on: Wed, 18 July 2007 08:39] Report message to a moderator
|
|
|