On Fri, May 5, 2023 at 11:15 AM David Hildenbrand <david@xxxxxxxxxx> wrote: > On 05.05.23 09:46, Sam James wrote: > > David Hildenbrand <david@xxxxxxxxxx> writes: > >> On 04.05.23 23:30, Michael McCracken wrote: > >>> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space > >>> sysctl to 0444 to disallow all runtime changes. This will prevent > >>> accidental changing of this value by a root service. > >>> The config is disabled by default to avoid surprises. ... > If we really care, not sure what's better: maybe we want to disallow > disabling it only in a security lockdown kernel? If we're bringing up the idea of Lockdown, controlling access to randomize_va_space is possible with the use of LSMs. One could easily remove write access to randomize_va_space, even for tasks running as root. (On my Rawhide system with SELinux enabled) % ls -Z /proc/sys/kernel/randomize_va_space system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space -- paul-moore.com