[Ksummit-discuss] [TECH TOPIC] Kernel Hardening

Luis R. Rodriguez mcgrof at suse.com
Tue Aug 25 16:45:49 UTC 2015


On Mon, Aug 24, 2015 at 10:46:33PM +0200, Thomas Gleixner wrote:
> While we certainly want to add mechanisms which prevent flaws to be
> exploited we surely want to do something about educating people how to
> avoid the flaws in the first place.

<-- snip -->

> I totally agree that we cannot prevent all flaws, but we certainly can
> do better in reducing the quantity. And that means that we need to
> educate people. And that education involve documentation and clever usage of
> tools.

What folks have been discussing mostly after this post are reactive security
solutions, that's fine but I think we need to also be a bit more proactive
about what we let folks design in terms of *new* userspace APIs. For instance
although it would not solve all userspace facing issues, I certainly think
things like struct nla_policy helps move away from loose userspace APIs.
The next evolutionary step was generic netlink but that may be too tied down
to networking.

  Luis


More information about the Ksummit-discuss mailing list