> I installed linux-grsec kernel on my Arch system a few days back for > improved security. My next step is to sandbox internet-facing > applications such as firefox, thunderbird, torrent client, etc. > However, > it seems like grsecurity patchset doesn't have application > sandboxing > capability (Does it? Couldn't find it in docs or forums). It has an implementation of mandatory access control (grsecurity RBAC). > In the past, I used Apparmor on Ubuntu for basic sandboxing. I tried > installing it on linux-grsec kernel but it seems like the necessary > kernel options required for installing Apparmor are disabled on > linux-grsec kernel. The kernel options required by Apparmor on Arch > are [1]: It has grsecurity RBAC and TOMOYO, but not AppArmor, SELinux or SMACK. I won't be enabling CONFIG_AUDIT unless core/linux turns it on, and AppArmor/SELinux depended on it when I last checked. > I think I could enable the required options by recompiling the > linux-grsec kernel but it seems like the grsecurity team now provides > the stable patches only to commercial customers [2], so I believe I > won't be able to recompile the kernel myself (Perhaps I'm wrong?). The package in the repository uses the test patch which follows along with the most recent upstream stable release branch. The stable patches were used in the linux-grsec-lts package which is gone. How would you be able to install it from the repositories if it wasn't available? :\ The grsecurity stable patches are for the 3.2 and 3.14 longterm branches and the 3.2 patches will be ending soon. > I was hoping someone here would be able to help me install Apparmor > on > linux-grsec kernel or atleast point me in the right direction. I recommend using RBAC or TOMOYO. If you use AppArmor, you're going to need to recompile the kernel every week since the grsecurity patches are very frequent (often every few days or a couple times in one day).
Attachment:
signature.asc
Description: This is a digitally signed message part
