| ▲ | yjftsjthsd-h 4 hours ago | |||||||
> We recommend exploring ways to automate upgrading your kernel Like, running emerge -u @world on a regular basis, or ... /me searches Okay, so https://wiki.gentoo.org/wiki/Live_patching exists but says, > A note of caution: Kernel live patching is risky. Count on hard freezing or panics to become normal... That's not encouraging. --- Another approach: Can we make the kernel vulns less important? Has anyone had luck moving more things to run under gvisor or firecracker or such? | ||||||||
| ▲ | belorn an hour ago | parent | next [-] | |||||||
If we are looking at things like gvisor or firecracker, SELinux might be an alternative. From what I can see, SELinux prevented both copy fail and dirty frag, and maybe also fragnesia but I couldn't find any definitive answer on that one. Last time I tried it was a pain to setup and a pain to use, but as a sysadmin there is a lot of thing that share those attributes. The only question if its worth it. If the current avalanche of patches continues it might. | ||||||||
| ||||||||
| ▲ | ordu 3 hours ago | parent | prev | next [-] | |||||||
> Like, running emerge -u @world on a regular basis You can run emerge -u sys-kernel/whatever-kernel-u-use, maybe followed by `cd /usr/src/linux; make bzImage modules install modules_install...` well, probably you'd use genkernel or something like that, instead of hand-crafted scripts. The point is: `emerge -u @world` can run into issues esp. if you customized a lot, it can't be automated fully, but I've never run into any issues with updating the kernel, and it can be automated. It is not so hard to upgrade kernel, the issue is with the reboot you need do automate. Or with live patching, which doesn't seem encouraging, as you say. | ||||||||
| ▲ | fsflover an hour ago | parent | prev [-] | |||||||
> Can we make the kernel vulns less important? How about strong virtualization? https://qubes-os.org | ||||||||