Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
sysctl to 0444 to disallow all runtime changes. This will prevent
accidental changing of this value by a root service.
The config is disabled by default to avoid surprises.
Signed-off-by: Michael McCracken <michael.mccracken@xxxxxxxxx>
---
kernel/sysctl.c | 4 ++++
mm/Kconfig | 7 +++++++
2 files changed, 11 insertions(+)
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index bfe53e835524..c5aafb734abe 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1913,7 +1913,11 @@ static struct ctl_table kern_table[] = {
.procname = "randomize_va_space",
.data = &randomize_va_space,
.maxlen = sizeof(int),
+#if defined(CONFIG_RO_RANDMAP_SYSCTL)
+ .mode = 0444,
+#else
.mode = 0644,
+#endif
.proc_handler = proc_dointvec,
},
#endif
diff --git a/mm/Kconfig b/mm/Kconfig
index 7672a22647b4..91a4a86d70e0 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -1206,6 +1206,13 @@ config PER_VMA_LOCK
This feature allows locking each virtual memory area separately when
handling page faults instead of taking mmap_lock.
+config RO_RANDMAP_SYSCTL
+ bool "Make randomize_va_space sysctl 0444"
+ depends on MMU
+ default n
+ help
+ Set file mode of /proc/sys/kernel/randomize_va_space to 0444 to disallow runtime changes in ASLR.
+
source "mm/damon/Kconfig"
endmenu
--
2.37.1 (Apple Git-137.1)
