grsecurity forums

[konst]

Do the LSMs step on the toes of grsecurity? Do they lessen the security provided by grsecurity?
Anyone have any experience or knowledge of how well the others play with grsecurity?
+
I don't mean SElinux but the other ones like TOMOYO and apparmor.

[LSD]

LSMs or all MACs including grsec's RSBAC are only your last level of defense.

Imagine attacking a server with grsec protected kernel. You already found a way how to exploit your newest imap software and you are holding a remote root in your hands. Ofc you cant browse dirs, you cant write to /*/*/bin....unfortunately the net daemon is in group with others who can use raw sockets. Just redirect ssh sessions, wait for root to log in...kaboom you have gradm password and the game is over.

[Lox]

viewtopic.php?f=3&t=2675

[spender]

Grsecurity works fine with any other LSM. Ironically, if grsecurity's RBAC were implemented as an LSM, then it wouldn't co-operate with any other LSM

As for LSD's comment, what he says is possible, but it's not as simple as he makes it sound. To make use of the special privilege, all the operations have to be done within the privileged task. For further reading, make note of the discussion of arbitrary code execution here:
viewtopic.php?f=7&t=2522

-Brad (from airport in Seoul)

[LSD]

Yeah sorry Brad. I wanted to point out how worthless are policies (mostly what LSMs are doing) compared to real kernel hardening (grsec). Attacking a grsec was never easy.