Re: [RFC][PATCH] Randomize kernel base address on boot

From: Ingo Molnar
Date: Fri May 27 2011 - 05:39:14 EST



* Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:

> > Is it common to run kexec-tools as non-root? It may be necessary
> > to restrict this interface to root when randomization is used
> > (keep in mind nobody's going to force you to turn this on by
> > default, at least for the foreseeable future).
>
> kexec-tools runs as root. And I see that /proc/iomem permissions
> are also for root only. So it probably is a non-issue.

it might be an issue to keep in mind for later projects that try to
lock down root itself from being able to patch the kernel (other than
rebooting the box), using signed modules, disabled direct-ioport
access, and other hardened facilities.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/