On Fri, Dec 13, 2019 at 10:40:54AM -0500, Stephen Smalley wrote: > See $(subject). If yes, there are some obvious candidates among the SELinux > data structures for randomized layouts to avoid fixed locations for > enforcing, initialized, etc. If not, then no point in pursuing it. Doesn't > look like Fedora enables it, probably because they'd have to publish the > random seeds anyway for third party kernel modules. But maybe it would be > useful for some distros/users? ChromeOS? Android? It is used by "in-house" kernel builders who optimize for high security above all other things (I've talked to a few of them over the years when finding out what defenses they've wanted). I've also seen Huawai Android patches that seem to indicate they're using it as well, but I haven't been able to determine if any released devices are shipping with it enabled. I've also had several people ask after the Clang randstruct port, which is ongoing[1] by a couple people (added to CC). I think it would be very handy to add some more markings to sensitive data structures. Please send patches! -Kees [1] https://reviews.llvm.org/D59254 https://github.com/da-x/llvm-project/commits/clang-r365631c-randstruct https://github.com/da-x/linux/commits/android-4.19-randstruct https://github.com/connorkuehl/llvm-project/commits/randstruct https://github.com/connorkuehl/llvm-project/pull/21 -- Kees Cook
