FS#41463 - [linux] enable CONFIG_RANDOMIZE_BASE
Attached to Project:
Arch Linux
Opened by Daniel Micay (thestinger) - Monday, 04 August 2014, 17:49 GMT
Last edited by Tobias Powalowski (tpowa) - Tuesday, 22 November 2016, 07:34 GMT
Opened by Daniel Micay (thestinger) - Monday, 04 August 2014, 17:49 GMT
Last edited by Tobias Powalowski (tpowa) - Tuesday, 22 November 2016, 07:34 GMT
|
Details
As of 3.16, it's now possible to enable
CONFIG_RANDOMIZE_BASE without disabling support for
hibernation. It's still incompatible with hibernation, so it
will be off by default and must be turned on by passing
`kaslr` on the kernel line. This isn't a big deal, because
user intervention is required anyway to enable
dmesg_restrict and kptr_restrict.
Note that while this is intended to become a somewhat useful exploit mitigation in the future, there are known address leaks in the vanilla kernel even with dmesg_restrict / kptr_restrict enabled. It's likely going to take some time to convince upstream maintainers to incorporate the necessary changes that are currently part of grsecurity's HIDESYM feature. Information leaks are also discovered quite frequently. It would still be nice to have the feature available for testing, even in this early state. |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Tuesday, 22 November 2016, 07:34 GMT
Reason for closing: Won't implement
Tuesday, 22 November 2016, 07:34 GMT
Reason for closing: Won't implement
I think there is a need for good security among all users.
Personally I don't care much about kernel size, but do we really want this?