Am 22.07.2013 22:29, schrieb Paul Bolle:
> On Wed, 2013-07-17 at 15:25 -0400, Dave Jones wrote:
>> On Tue, Jul 16, 2013 at 03:39:35PM +0200, Reindl Harald wrote:
>> > is there a strong performance-wise reason for
>> > "Strict user copy checks: Disabled" - IMHO if
>> > something may make things more secure while not
>> > have a dramatically performance impact security
>> > in doubt should go first
>
> Are that the checks enabled by CONFIG_DEBUG_STRICT_USER_COPY_CHECKS? If
> so, they don't do anything on x86_64 (which Harald seems to be using),
> do they?
honestly i have no idea
i started to use checksec / hardening-check for make
sure any of my network services are proper hardened
and saw this below and thought no mistake to ask :-)
[root@srv-rhsoft:~]$ checksec --help
Usage: checksec [OPTION]
Options:
--file <executable-file>
--dir <directory> [-v]
--proc <process name>
--proc-all
--proc-libs <process ID>
--kernel
--fortify-file <executable-file>
--fortify-proc <process ID>
--version
--help
[root@srv-rhsoft:~]$ checksec --kernel
* Kernel protection information:
Description - List the status of kernel protection mechanisms. Rather than
inspect kernel mechanisms that may aid in the prevention of exploitation of
userspace processes, this option lists the status of kernel configuration
options that harden the kernel itself against attack.
Kernel config: /boot/config-3.9.10-200.fc18.x86_64
Warning: The config on disk may not represent running kernel config!
GCC stack protector support: Enabled
Strict user copy checks: Disabled
Enforce read-only kernel data: Enabled
Restrict /dev/mem access: Enabled
Restrict /dev/kmem access: Enabled
* grsecurity / PaX: No GRKERNSEC
The grsecurity / PaX patchset is available here:
http://grsecurity.net/
* Kernel Heap Hardening: No KERNHEAP
The KERNHEAP hardening patchset is available here:
https://www.subreption.com/kernheap/
_______________________________________________
kernel mailing list
kernel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/kernel
