Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
Other
554
stars
55
forks
source link
change for bounding mmap range is likely not required anymore #81
No longer seems required to prevent randomization from breaking by forcing exhausting the address space and then targeting a known address based on the lower bound. More testing / research required. I don't have time to spare for x86_64 though. I think it's fairly likely that stack gap changes are responsible for making it no longer required. It would be good to figure out what's happening via /proc/self/maps.
https://github.com/anthraxx/linux-hardened/commit/6cf94a91337558f3fcaaf9cc04815b156051b0a7
No longer seems required to prevent randomization from breaking by forcing exhausting the address space and then targeting a known address based on the lower bound. More testing / research required. I don't have time to spare for x86_64 though. I think it's fairly likely that stack gap changes are responsible for making it no longer required. It would be good to figure out what's happening via /proc/self/maps.