[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 May 2023 11:23:24 -0400
From: Paul Moore <paul@...l-moore.com>
To: David Hildenbrand <david@...hat.com>
Cc: Sam James <sam@...too.org>,
Michael McCracken <michael.mccracken@...il.com>,
linux-kernel@...r.kernel.org, serge@...lyn.com, tycho@...ho.pizza,
Luis Chamberlain <mcgrof@...nel.org>,
Kees Cook <keescook@...omium.org>,
Iurii Zaikin <yzaikin@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-fsdevel@...r.kernel.org, linux-mm@...ck.org,
kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO
On Fri, May 5, 2023 at 11:15 AM David Hildenbrand <david@...hat.com> wrote:
> On 05.05.23 09:46, Sam James wrote:
> > David Hildenbrand <david@...hat.com> writes:
> >> On 04.05.23 23:30, Michael McCracken wrote:
> >>> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
> >>> sysctl to 0444 to disallow all runtime changes. This will prevent
> >>> accidental changing of this value by a root service.
> >>> The config is disabled by default to avoid surprises.
...
> If we really care, not sure what's better: maybe we want to disallow
> disabling it only in a security lockdown kernel?
If we're bringing up the idea of Lockdown, controlling access to
randomize_va_space is possible with the use of LSMs. One could easily
remove write access to randomize_va_space, even for tasks running as
root.
(On my Rawhide system with SELinux enabled)
% ls -Z /proc/sys/kernel/randomize_va_space
system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space
--
paul-moore.com
Powered by blists - more mailing lists