[Ksummit-discuss] [TECH TOPIC] Kernel Hardening
Luis R. Rodriguez
mcgrof at suse.com
Tue Aug 25 16:45:49 UTC 2015
On Mon, Aug 24, 2015 at 10:46:33PM +0200, Thomas Gleixner wrote:
> While we certainly want to add mechanisms which prevent flaws to be
> exploited we surely want to do something about educating people how to
> avoid the flaws in the first place.
<-- snip -->
> I totally agree that we cannot prevent all flaws, but we certainly can
> do better in reducing the quantity. And that means that we need to
> educate people. And that education involve documentation and clever usage of
> tools.
What folks have been discussing mostly after this post are reactive security
solutions, that's fine but I think we need to also be a bit more proactive
about what we let folks design in terms of *new* userspace APIs. For instance
although it would not solve all userspace facing issues, I certainly think
things like struct nla_policy helps move away from loose userspace APIs.
The next evolutionary step was generic netlink but that may be too tied down
to networking.
Luis
More information about the Ksummit-discuss
mailing list