SVN: rc-scripts/trunk/sysctl.conf

[pluto]

Author: pluto
Date: Tue Dec  2 01:08:39 2008
New Revision: 10019

Modified:
   rc-scripts/trunk/sysctl.conf
Log:
- describe kernel.randomize_va_space feature.


Modified: rc-scripts/trunk/sysctl.conf
==============================================================================
--- rc-scripts/trunk/sysctl.conf	(original)
+++ rc-scripts/trunk/sysctl.conf	Tue Dec  2 01:08:39 2008
@@ -186,18 +186,20 @@
 #kernel.grsecurity.disable_modules = 0
 #kernel.grsecurity.grsec_lock = 0
 
-#
-# Exec-Shield (kernel 2.6 only).
-#
-# Turn on randomization
-#kernel.exec-shield-randomize = 1
-#
-# exec-shield=0    - always-disabled
-# exec-shield=1    - default disabled, except binaries that enable it
-# exec-shield=2    - default enabled, except binaries that disable it
-# exec-shield=3    - always-enabled 
-#
-#kernel.exec-shield = 2
+kernel.randomize_va_space = 2
+# 0 - Turn the process address space randomization off by default.
+# 1 - Conservative address space randomization makes the addresses of
+#     mmap base and VDSO page randomized. This, among other things,
+#     implies that shared libraries will be loaded to random addresses.
+#     Also for PIE binaries, the location of code start is randomized.
+# 2 - This includes all the features that Conservative randomization
+#     provides. In addition to that, also start of the brk area is randomized.
+#     There a few legacy applications out there (such as some ancient
+#     versions of libc.so.5 from 1996) that assume that brk area starts
+#     just after the end of the code+bss. These applications break when
+#     start of the brk area is randomized. There are however no known
+#     non-legacy applications that would be broken this way, so for most
+#     systems it is safe to choose Full randomization.
 
 # for mplayer
 #dev.rtc.max-user-freq = 1024