Maxime Villard writes: > Hi, > Here is a patch [1] that hides the addresses of the kernel modules when > 'modstat -k' is entered by an unprivileged user. The current behavior is > preserved for root. > > The addresses currently leaked cannot be used to reconstruct the layout of > the kernel, since the module VAs are embedded in bootspace.boot, whose > location > is independent from that of each of the remaining kernel segments. > > But it's still good not to leak such information, to limit the surface for ROP > and a few other things, and this, also in the non-kaslr case. Ok? > > [1] http://m00nbsd.net/garbage/module/modstat.diff
seems reasonable and needed with kaslr. i wonder if this is something that should be hidden if security.curtain is set, or something else with a higher hardening mode than normal, rather than generally, or on systems without kaslr. a higher hardened mode should hide them from root too, i guess. .mrg.
