Re: [RFC][PATCH] Randomize kernel base address on boot
From: Ingo Molnar
Date: Fri May 27 2011 - 09:38:26 EST
* Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> On Fri, May 27, 2011 at 11:38:53AM +0200, Ingo Molnar wrote:
> >
> > * Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> >
> > > > Is it common to run kexec-tools as non-root? It may be necessary
> > > > to restrict this interface to root when randomization is used
> > > > (keep in mind nobody's going to force you to turn this on by
> > > > default, at least for the foreseeable future).
> > >
> > > kexec-tools runs as root. And I see that /proc/iomem permissions
> > > are also for root only. So it probably is a non-issue.
> >
> > it might be an issue to keep in mind for later projects that try to
> > lock down root itself from being able to patch the kernel (other than
> > rebooting the box), using signed modules, disabled direct-ioport
> > access, and other hardened facilities.
>
> For such environments, Eric Paris had posted a patch to be able to
> disable loading of kexec/kdump kernel, similar to disabling module
> loading.
>
> https://lkml.org/lkml/2011/1/19/412
>
> I don't see that in Linus's tree. So looks like it never got
> committed.
That patch looks sane enough. Ping akpm about it please?
Thanks,
Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/