On Thu, May 17, 2012 at 3:04 PM, Anthony G. Basile <[email protected]> wrote: > Liberte, last I looked, has quite a few hardening features off.
True — this is made necessary by having to support virtualized environments (and, of course, Xorg, wrt. GRKERNSEC_IO). Since out last discussion on the subject, I have “discovered” the GRKERNSEC_HARDENED_VIRTUALIZATION profile, which fits quite well the settings that were carefully selected previously. By the way, Liberté also mounts /dev with noexec, and I received no complaints so far (see bug #92921). I also grepped the driver sources before making the change, and didn't find any attempts to map /dev/mem with PROT_EXEC. No idea if the noexec issue is still present with proprietary drivers, though. -- Maxim Kammerer Liberté Linux (discussion / support: http://dee.su/liberte-contribute)
