On Wed, 06 Sep 2017, Arkadiusz Miśkiewicz wrote: > On Wednesday 06 of September 2017, Jan Rękorajski wrote: > > On Wed, 06 Sep 2017, Arkadiusz Miśkiewicz wrote: > > > On Tuesday 05 of September 2017, baggins wrote: > > > > commit aa2cca690b9ce623e4dac08b9563584530a0a489 > > > > Author: Jan Rękorajski <[email protected]> > > > > Date: Tue Sep 5 23:52:49 2017 +0200 > > > > > > > > - disable struct randomization, it's pointless for a distro kernel > > > > > > Not pointless - exploit needs to match specific pld kernel directly and > > > generic or other distro exploits won't work. > > > > What is very easy to accomplish, because you have to expose random seed > > used during kernel build to be able to build external modules. > > Not for typical "attacker" or automated attacks. > > > I'm not strongly opposed to the idea, but you need to make sure external > > modules will build/work > > Where there any problems already?
Right now I'm fighting with systemd failing to setup encrypted rootfs in initramfs/boot process (something broke between 232 and 234). So can't test yet. > > if you really want a slower and bigger kernel > > for slight increase in security. > > How bigger and slower? It only changes order of struct members AFAIK. Enabling this feature will introduce some performance impact, slightly increase memory usage, and prevent the use of forensic tools like Volatility against the system (unless the kernel source tree isn't cleaned after kernel installation). -- Jan Rękorajski | PLD/Linux SysAdm | baggins<at>pld-linux.org | http://www.pld-linux.org/ _______________________________________________ pld-devel-en mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
