Hi,
(Please Cc: any subsequent reply to the public tails-dev@??? ML.)
> The kernel: grsec kernel + pax should be a major priority.
We agree it would be great if Tails shipped with tools that make it
harder to practically exploit security issues. Both mandatory access
control systems (AppArmor, RBAC) and general kernel hardening patches
are such tools, and we are considering both.
Debian has started shipping AppArmor-enabled kernels recently, while
the grsec effort is far from having reached this goal; therefore, our
time being pretty limited, it seems likely we'll consider shipping
AppArmor MAC policies instead of RBAC policies or a kernel patched
with PaX.
This decision is far from being final yet; as you can see on our
roadmap, there are a few things we find more urgent to address first:
https://tails.boum.org/contribute/roadmap/
FYI our quick review of MAC systems from Tails PoV is there:
https://tails.boum.org/todo/Mandatory_Access_Control/
--
