Bug#605090: Updated patch
On Wed, Feb 09, 2011 at 06:51:02PM +0100, maximilian attems wrote:
> Be more precise in what SELinux can't do for you?
SELinux is only MAC. It attempts to protect userspace from userspace. From
my view, the bulk of the benefits in grsec and PaX are protecting the
kernel from userspace. Take for example the case of syscalls. There
is nothing in a MAC that can filter syscalls, so if there is a
new vulnerability in a syscall, you might get attacked, and no MAC
can stop it. PaX adds a lot of internal hardening to mitigate most
kernel exploitation attempts (for example, actually enforcing the
kernel/userspace memory segmentation so that kernel code can't be
tricked into running code from a userspace mapping, setting function
pointers and call tables read-only so that an arbitrary write isn't
instantly turned into a root-escalation, hiding the location of kernel
addresses to frustrate attacks that need to find in-kernel offsets,
actually checking the size of copy_to/from_user work to avoid overflows,
the list goes on and on).
> (Emulating NX for bad hardware doesn't count these days).
Why not? A giant amount of hardware lacks NX, and is still in active use,
especially for Debian (people are turning more to Debian as other distros
move their minimum instruction set requirements higher and higher).
-Kees
--
Kees Cook @debian.org
Reply to: