On Thu, Nov 11, 2010 at 13:52:12 +0000, maximilian attems wrote: > LSM: Enable AppArmor? as well as/instead of Tomoyo? > --------------------------------------------------- > As the LSM need to be built we can't enable them. This needs a technical > solution were code can be disregarded as init sections or similar. > AppArmor seems more popular as Opensuse and Ubuntu uses it. Technicaly > Tomoyo is said to be cleaner.
What do you mean by "can't" here? You can build _all_ of them, actually. The active LSM is just selected at boot-time through the kernel command line arguments. If it's a concern over kernel size, upstream specifically removed the ability to make the LSM modular, so this means that no additional LSMs will ever be available in Debian? > NX bit emulation and 32-bit mmap randomization > ---------------------------------------------- > We don't want to carry intrusive patches. > The NX patch was rejected as such by upstream and thus we won't take > it either. Why? These patches are well maintained, and touch areas of the kernel that do not change much (making them very easy to merge). Why leave non-PAE x86 users out in the code when so many other distros use some form of this patchset? I've worked to make sure they only touch CONFIG_X86_32, so they're extremely minimal. > Currently we recommend PAE for bigger boxes but do not default to it. > Action item by bwh and waldi to default Debian Installer to it > and deprecate non PAE 686. This sounds great, regardless. > Upstream status of the other patch is unknown, maks will consult Kees. In my mind, they[1] are a single patch -- the "32-bit mmap randomization" is better named "ASCII Armor ASLR", which doesn't have much value, IMO. The entropy is extremely low compared to upstream ASLR, but it would be actually 0 if left out in the nx-emu case. As such, it is only enabled on systems that are using nx-emu. I intend to try to get it upstreamed, but it's pretty far down on my TODO list[1]. Thanks, -Kees [1] http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/x86-nx-emulation http://git.kernel.org/?p=linux/kernel/git/frob/linux-2.6-roland.git;a=shortlog;h=refs/heads/fedora/32bit-mmap-exec-randomization (this one is still missing one additional patch from me...) [2] https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#Upstream%20Hardening -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101118192339.gf13...@outflux.net
