On lun., 2016-02-15 at 13:56 +0100, Florent Daigniere wrote: > > I fail to parse this. Did you try DKMS modules with RANDKSTRUCT=n and > > did it work? > > It won't work as long as the packaged binary (my running kernel) has it > enabled. I'd need to rebuild both the package and the module with it > disabled to try it out... and I haven't tried it yet.
That's what I was asking. Please try and report back. > > > Because I sure didn't do anything to support external modules, so > > I'd be surprised if that worked, RANDKSTRUCT or not. > > You're right; I should focus on documenting what doesn't work rather > than guessing. I should have filled in two bugs: > > 1) the binary package shouldn't have it enabled because it's useless > security wise, does incur runtime cost and obviously breaks stuff (see > 2) (https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_Pa > X_Configuration_Options#Randomize_layout_of_sensitive_kernel_structures > ). I disagree here see my previous mail. > > 2) with the binary package, DKMS-built modules (but I suspect that it > stands true for all modules) won't insert into the running kernel. This > needs fixing, one way or another. That's not different from the previous point I think. > > Do you want me to do the bug-filling/renaming or can you do it? I don't know what you mean, so I won't do it. But I case I wasn't clear either: - randkstruct is enabled on purpose - external modules are currently not supported (mainly because I don't use them so I didn't investigate); this is not directly related to randkstruct, although it's definitely part of the issue. If you're interested in having external modules supported, then please provide patches against the current git, and document what you find. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part
