On Wed, Feb 09, 2011 at 06:51:02PM +0100, maximilian attems wrote: > Be more precise in what SELinux can't do for you?
SELinux is only MAC. It attempts to protect userspace from userspace. From my view, the bulk of the benefits in grsec and PaX are protecting the kernel from userspace. Take for example the case of syscalls. There is nothing in a MAC that can filter syscalls, so if there is a new vulnerability in a syscall, you might get attacked, and no MAC can stop it. PaX adds a lot of internal hardening to mitigate most kernel exploitation attempts (for example, actually enforcing the kernel/userspace memory segmentation so that kernel code can't be tricked into running code from a userspace mapping, setting function pointers and call tables read-only so that an arbitrary write isn't instantly turned into a root-escalation, hiding the location of kernel addresses to frustrate attacks that need to find in-kernel offsets, actually checking the size of copy_to/from_user work to avoid overflows, the list goes on and on). > (Emulating NX for bad hardware doesn't count these days). Why not? A giant amount of hardware lacks NX, and is still in active use, especially for Debian (people are turning more to Debian as other distros move their minimum instruction set requirements higher and higher). -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
