Re: exec-shield (maybe ITP kernel-patch-exec-shield)
On Fri, Nov 28, 2003 at 10:04:42AM -0200, Henrique de Moraes Holschuh wrote:
> On Fri, 28 Nov 2003, Peter Busser wrote:
> > > I for one, do (especially since I have Russell's word that it would work
> > > quite well along with SE Linux).
> > It is nice to hear that Russell changed his mind after the previous dicussion.
> I am not implying he said PaX would not need patch merge changes to apply,
> mind you. Just that PaX would enhance the security of a SELinux system, and
> that the two can conceptually work well together.
Oh yes, sure, a mandatory access control subsystem improves PaX' effectiveness.
> > Debian testing worked on a test system with the Adamantix kernel-image package
> > (which obviously includes PaX with the most restrictive settings enabled). X
> > breaks, but it breaks on exec-shield too.
> This is the kind of thing that would make the adoption slow. We'd need to
> fix it, and fix it properly.
Right, it is not useful to have a memory protection patch that does not protect
certain important programs. It doesn't seem to be very difficult to fix though.
The Adamantix Project
Taking high-security Linux out of the labs, and into the real world