From: Alex Efros <powerman@powerman.asdfgroup.com>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] hardened workstation - is that worth it?
Date: Tue, 25 Nov 2008 22:40:49 +0200 [thread overview]
Message-ID: <20081125204049.GN1806@home.power> (raw)
In-Reply-To: <200811251839.26200.janklodvan@gmail.com>
Hi!
On Tue, Nov 25, 2008 at 06:39:26PM +0200, Jan Klod wrote:
> Could you post a list of apps, that need PaX lifted?
Most of this already done by portage when emerging apps, so you rarely
need to do this manually. Few examples come in my mind is operawrapper for
running complex Flash/Flex applications; mplayer for playing files in
windows-related formats using codecs in .dll (media-libs/win32codecs);
and OS Inferno which is virtual machine like Java but compiled manually
(probably I'll create ebuild for it later).
Also you have to switch off one item in kernel configuration (compared to
typical config on servers):
Security options ---> Grsecurity ---> Address Space Protection --->
[ ] Disable privileged I/O
and may need to enable loadable modules support (also switched off on
servers) to work with VMware or binary NVidia drivers etc.
> Also there is another question: has anyone made some benchmarks to see how
> much raw computing power (CPU+RAM access, which happen during some purely
> computational task) decreases?
There some available on internet, just google for it. AFAIR there was 2-5%
slowdown compared to non-hardened system.
I did my own tests several years ago when switching to hardened - same
results: 2% slowdown for most operations, compiling a little more slower.
Nothing noticeable on workstation to worry about unless you have ancient
hardware which play mp3s using 100% CPU and will lag if you do anything
else at same time. :)
--
WBR, Alex.
next prev parent reply other threads:[~2008-11-25 20:41 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-25 15:00 [gentoo-hardened] hardened workstation - is that worth it? Jan Klod
2008-11-25 15:56 ` Alex Efros
2008-11-25 16:39 ` Jan Klod
2008-11-25 20:40 ` Alex Efros [this message]
2008-11-25 20:51 ` Javier Martínez
2008-11-25 20:56 ` Alex Efros
2008-11-25 19:58 ` RB
2008-11-25 20:36 ` Javier Martínez
2008-11-25 21:24 ` Jan Klod
2008-12-05 15:29 ` pageexec
2008-12-05 16:38 ` Brian Kroth
2008-12-05 17:21 ` Javier Martínez
2008-12-05 17:22 ` pageexec
2008-12-05 17:31 ` Javier Martínez
2008-12-05 17:48 ` Ned Ludd
2008-12-05 17:11 ` pageexec
2008-11-25 21:12 ` Jan Klod
2008-11-25 21:47 ` RB
2008-11-25 21:58 ` Jan Klod
2008-11-25 22:11 ` atoth
2008-11-25 22:14 ` RB
2008-11-26 11:39 ` Jan Klod
2008-11-25 23:23 ` Javier Martínez
2008-11-26 2:02 ` [gentoo-hardened] " 7v5w7go9ub0o
2008-11-26 2:34 ` Alex Efros
2008-11-26 17:31 ` 7v5w7go9ub0o
2008-11-26 6:09 ` atoth
2008-11-26 17:41 ` 7v5w7go9ub0o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081125204049.GN1806@home.power \
--to=powerman@powerman.asdfgroup.com \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox