Hi I installed linux-grsec kernel on my Arch system a few days back for improved security. My next step is to sandbox internet-facing applications such as firefox, thunderbird, torrent client, etc. However, it seems like grsecurity patchset doesn't have application sandboxing capability (Does it? Couldn't find it in docs or forums). In the past, I used Apparmor on Ubuntu for basic sandboxing. I tried installing it on linux-grsec kernel but it seems like the necessary kernel options required for installing Apparmor are disabled on linux-grsec kernel. The kernel options required by Apparmor on Arch are [1]: CONFIG_SECURITY_APPARMOR=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y CONFIG_AUDIT=y While my linux-grsec kernel's configuration reports: # CONFIG_SECURITY_APPARMOR is not set I think I could enable the required options by recompiling the linux-grsec kernel but it seems like the grsecurity team now provides the stable patches only to commercial customers [2], so I believe I won't be able to recompile the kernel myself (Perhaps I'm wrong?). I was hoping someone here would be able to help me install Apparmor on linux-grsec kernel or atleast point me in the right direction. Regards [1] https://wiki.archlinux.org/index.php/AppArmor#Kernel [2] https://grsecurity.net/announce.php
