On 30/07/2013 11:36, Tanstaafl wrote:
On 2013-07-30 4:11 AM, Randolph Maaßen <r.maasse...@gmail.com> wrote:
It needs a couple of kernel modules to work, but emerge will promt to
you what it needs.
Side question...
I want to run the vmware tools on my gentoo VM (so the host can safely
power it down), but it also requires modules.
For security reasons I have never enabled modules on my servers, but...
It doesn't enhance security unless additional measures are taken (see
below).
Is there a way to do this securely, so that *only* the necessary modules
could ever be loaded?
You can use gsecurity (which is in hardened-sources). With
CONFIG_GRKERNSEC_MODSTOP enabled, you will be able to run:
# echo 1 > /proc/sys/kernel/grsecurity/disable_modules
After that, no further modules can be loaded. However, you would also
need to disable privileged I/O and the ability to write to /dev/kmem,
both of which grsecurity also facilitates.
--Kerin
