On Mon, 2016-02-15 at 13:25 +0100, Yves-Alexis Perez wrote: > > > > 2) It prevents users from rebuilding kernel modules as the > > source packaged is distributed "cleaned". > > I fail to parse this. Did you try DKMS modules with RANDKSTRUCT=n and > did it work?
It won't work as long as the packaged binary (my running kernel) has it enabled. I'd need to rebuild both the package and the module with it disabled to try it out... and I haven't tried it yet. > Because I sure didn't do anything to support external modules, so > I'd be surprised if that worked, RANDKSTRUCT or not. You're right; I should focus on documenting what doesn't work rather than guessing. I should have filled in two bugs: 1) the binary package shouldn't have it enabled because it's useless security wise, does incur runtime cost and obviously breaks stuff (see 2) (https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_Pa X_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures ). 2) with the binary package, DKMS-built modules (but I suspect that it stands true for all modules) won't insert into the running kernel. This needs fixing, one way or another. Do you want me to do the bug-filling/renaming or can you do it? Florent
signature.asc
Description: This is a digitally signed message part
