'lo,
I use grsecurity 1.9.8 with gradm-1.6. One of the main problem of the acl sys
tem, IMO, is that is is useless if the system didn't boot with the grsec kernel. If someone boots with a floppy disk, he can mount the file system and the acls system isn't activated anymore. So my question is :
Is it possible to "link" a file system to a kernel ? for exemple, modifying the ext2 structure (or another FS) with an authentication of the kernel (with public key crypto, or a test of the kernel md5sum maybe ?)
The aim is to make the file system where the acl system applies unmountable
if the current kernel is not the right one (i.e. without grsec support).
What do you thing about this ?
Is it a possible improvement of grsecurity ?
Thx
CleeK
PS : ideas
- public / private keys :
. generate a couple of keys
. patch the kernel with the private key
. patch the FS with the public key and an authentication scheme (including util-linux (mount, etc ...) and of probably mkfs)
- md5sum :
. difficult because the md5sum changes at each recomplation