[packages/kernel] - disable struct randomization, it's pointless for a distro kernel
Jan Rękorajski
baggins at pld-linux.org
Wed Sep 6 09:36:57 CEST 2017
On Wed, 06 Sep 2017, Arkadiusz Miśkiewicz wrote:
> On Wednesday 06 of September 2017, Jan Rękorajski wrote:
> > On Wed, 06 Sep 2017, Arkadiusz Miśkiewicz wrote:
> > > On Tuesday 05 of September 2017, baggins wrote:
> > > > commit aa2cca690b9ce623e4dac08b9563584530a0a489
> > > > Author: Jan Rękorajski <baggins at pld-linux.org>
> > > > Date: Tue Sep 5 23:52:49 2017 +0200
> > > >
> > > > - disable struct randomization, it's pointless for a distro kernel
> > >
> > > Not pointless - exploit needs to match specific pld kernel directly and
> > > generic or other distro exploits won't work.
> >
> > What is very easy to accomplish, because you have to expose random seed
> > used during kernel build to be able to build external modules.
>
> Not for typical "attacker" or automated attacks.
>
> > I'm not strongly opposed to the idea, but you need to make sure external
> > modules will build/work
>
> Where there any problems already?
Right now I'm fighting with systemd failing to setup encrypted rootfs in
initramfs/boot process (something broke between 232 and 234).
So can't test yet.
> > if you really want a slower and bigger kernel
> > for slight increase in security.
>
> How bigger and slower? It only changes order of struct members AFAIK.
Enabling this feature will introduce some performance impact,
slightly increase memory usage, and prevent the use of forensic
tools like Volatility against the system (unless the kernel
source tree isn't cleaned after kernel installation).
--
Jan Rękorajski | PLD/Linux
SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/
More information about the pld-devel-en
mailing list