Re: [RFC][PATCH] Randomize kernel base address on boot
From: Vivek Goyal
Date: Fri May 27 2011 - 09:08:48 EST
On Fri, May 27, 2011 at 11:38:53AM +0200, Ingo Molnar wrote:
>
> * Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
>
> > > Is it common to run kexec-tools as non-root? It may be necessary
> > > to restrict this interface to root when randomization is used
> > > (keep in mind nobody's going to force you to turn this on by
> > > default, at least for the foreseeable future).
> >
> > kexec-tools runs as root. And I see that /proc/iomem permissions
> > are also for root only. So it probably is a non-issue.
>
> it might be an issue to keep in mind for later projects that try to
> lock down root itself from being able to patch the kernel (other than
> rebooting the box), using signed modules, disabled direct-ioport
> access, and other hardened facilities.
For such environments, Eric Paris had posted a patch to be able to
disable loading of kexec/kdump kernel, similar to disabling module loading.
https://lkml.org/lkml/2011/1/19/412
I don't see that in Linus's tree. So looks like it never got committed.
Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/