|
From ba2ec52f170a8e69d6c44238bb578f9518a7e3b7 Mon Sep 17 00:00:00 2001 From: lanzheng <lanzheng@xxxxxxxxx> Date: Tue, 23 Feb 2021 22:49:34 -0500 Subject: [PATCH] This patch adds a kernel build config knob that disallows changes to the sysctl variable randomize_va_space.It makes harder for attacker to disable ASLR and reduces security risks.
Signed-off-by: lanzheng <lanzheng@xxxxxxxxx> Reviewed-by: Yongkui Han <yonhan@xxxxxxxxx> Tested-by: Nirmala Arumugam <niarumug@xxxxxxxxx> --- kernel/sysctl.c
| 4 ++++ security/Kconfig | 8 ++++++++ 2 files changed, 12 insertions(+) diff --git a/kernel/sysctl.c b/kernel/sysctl.c index c9fbdd848138..2aa9bc8044c7 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -2426,7 +2426,11 @@ static struct ctl_table kern_table[] = { .procname
= "randomize_va_space", .data
= &randomize_va_space, .maxlen
= sizeof(int), +#if defined(CONFIG_RANDOMIZE_VA_SPACE_READONLY) +
.mode
= 0444, +#else .mode
= 0644, +#endif .proc_handler
= proc_dointvec, }, #endif diff --git a/security/Kconfig b/security/Kconfig index 7561f6f99f1d..18b9dff4648c 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -7,6 +7,14 @@ menu "Security options" source "security/keys/Kconfig" +config RANDOMIZE_VA_SPACE_READONLY +
bool "Disallow change of randomize_va_space" +
default y +
help +
If you say Y here, /proc/sys/kernel/randomize_va_space can not +
be changed by any user, including root, this will help prevent +
disablement of ASLR. + config SECURITY_DMESG_RESTRICT bool "Restrict unprivileged access to the kernel syslog" default n -- |
