git.ipfire.org Git - people/pmueller/ipfire-2.x.git/commit

author	Peter Müller <peter.mueller@ipfire.org>
	Mon, 1 Aug 2022 17:18:07 +0000 (17:18 +0000)
committer	Peter Müller <peter.mueller@ipfire.org>
	Wed, 3 Aug 2022 10:59:03 +0000 (10:59 +0000)
commit	4c46e7f8180d75fe176c6e00bceaa1fccb0c4e97
tree	51e21297a42cab0ac87aae5875335022cb7c76e4	tree \| snapshot
parent	56256e6d2be81ec7cdc8c4b69d6bf05855860e13	commit \| diff

linux: Randomize layout of sensitive kernel structures

To quote from the kernel documentation:

> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>

config/kernel/kernel.config.x86_64-ipfire		diff \| blob \| blame \| history
config/rootfiles/common/armv6l/linux		diff \| blob \| blame \| history
config/rootfiles/common/x86_64/linux		diff \| blob \| blame \| history