Difference between revisions of "Grsecurity"
m (minor english fixes →TPE (Trusted Path Execution)) |
(added link to TPE description) |
||
| (5 intermediate revisions by 4 users not shown) | |||
| Line 9: | Line 9: | ||
== TPE (Trusted Path Execution) == | == TPE (Trusted Path Execution) == | ||
| − | Starting from 2.6.18-028stab047.1 stable kernels OpenVZ kernels support TPE grsecurity feature out of the box. | + | Starting from 2.6.18-028stab047.1 stable kernels OpenVZ kernels support TPE [http://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Trusted_Path_Execution_.28TPE.29] grsecurity feature out of the box. |
Which means root user can configure TPE inside VE as usual, i.e. via the following /proc files: | Which means root user can configure TPE inside VE as usual, i.e. via the following /proc files: | ||
* /proc/sys/kernel/grsecurity/grsec_lock | * /proc/sys/kernel/grsecurity/grsec_lock | ||
| Line 21: | Line 21: | ||
' lock grsecurity settings | ' lock grsecurity settings | ||
# echo 1 > /proc/sys/kernel/grsecurity/grsec_lock | # echo 1 > /proc/sys/kernel/grsecurity/grsec_lock | ||
| + | |||
| + | == Links == | ||
| + | * http://www.grsecurity.net/ | ||
[[Category: Kernel]] | [[Category: Kernel]] | ||
[[Category: HOWTO]] | [[Category: HOWTO]] | ||
Latest revision as of 08:35, 21 September 2011
There is a huge demand from people for support of grsecurity on OpenVZ. However, unfortunately, grsecurity patch doesn't work as is (nor even applies) with OpenVZ kernel. There were some efforts of supporting grsec in bug #607, but failed and the grsecurity patch was never stable with OpenVZ.
So instead OpenVZ team selected another approach. We port the features of grsecurity most requested by users and add them, maintain, document and support.
TPE (Trusted Path Execution)[edit]
Starting from 2.6.18-028stab047.1 stable kernels OpenVZ kernels support TPE [1] grsecurity feature out of the box. Which means root user can configure TPE inside VE as usual, i.e. via the following /proc files:
- /proc/sys/kernel/grsecurity/grsec_lock
- /proc/sys/kernel/grsecurity/tpe
- /proc/sys/kernel/grsecurity/tpe_gid
- /proc/sys/kernel/grsecurity/tpe_restrict_all
To enable TPE feature in a standard way just type:
# echo <GID> > /proc/sys/kernel/grsecurity/tpe_gid # echo 1 > /proc/sys/kernel/grsecurity/tpe ' lock grsecurity settings # echo 1 > /proc/sys/kernel/grsecurity/grsec_lock
