grsecurity forums


https://forums.grsecurity.net./

Recommended kernel options for grsec + xen (as dom0)

https://forums.grsecurity.net./viewtopic.php?f=3&t=2954

Page 1 of 1

Recommended kernel options for grsec + xen (as dom0)

PostPosted: Mon Mar 26, 2012 10:28 pm
by strav
Hi. I'm currently trying to harden a 3.2.13 kernel that would serve as dom0 for xen virtualisation. From what I've gathered in other posts, it seems that the sole option to be disabled in order to ensure that xen properly works as dom0 is KERNEXEC. In my .config however, the only option that's close to KERNEXEC is CONFIG_PAX_KERNEXEC_PLUGIN_METHOD=""; is there anything I should set here (or elsewhere)? Besides, when trying to launch xend, I'm getting an error stating that there's nothing to be found in /proc/xen ... can this be due to CONFIG_GRKERNSEC_PROC=Y?

A full list of recommended kernel options to ensure maximal security along with a working xen would greatly be appreciated if you to happen to have something in this vein.

thanks!

Mathieu

Re: Recommended kernel options for grsec + xen (as dom0)

PostPosted: Tue Mar 27, 2012 5:27 am
by PaX Team
strav wrote:Hi. I'm currently trying to harden a 3.2.13 kernel that would serve as dom0 for xen virtualisation. From what I've gathered in other posts, it seems that the sole option to be disabled in order to ensure that xen properly works as dom0 is KERNEXEC.
UDEREF is another feature that won't work in Xen, both of these already depend on !XEN so you can't select them. for everything else, feel free to give them a try ;).
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/