Source: linux-grsec Severity: important GRKERNSEC_RANDSTRUCT shouldn't be enabled on binary distro packages.
1) It's compile-time randomization, making it useless security wise (the attacker can fetch the binary from a mirror too!). 2) It prevents users from rebuilding kernel modules as the source packaged is distributed "cleaned". On my systems, it prevents DKMS from working altogether. # modprobe vboxdrv [ 3841.583856] : version magic '4.3.0-1-grsec-amd64 SMP mod_unload modversions KERNEXEC_BTS UDEREF REFCOUNT GRSEC ' should be '4.3.0-1- grsec-amd64 SMP mod_unload modversions KERNEXEC_BTS UDEREF REFCOUNT CONSTIFY_PLUGIN STACKLEAK_PLUGIN GRSEC RANDSTRUCT_PLUGIN_643b63e2ae54ebcf23cb3cb1ea94ff2584bab4387b91fadf06a1b 7fd2f2ad003' Please disable GRKERNSEC_RANDSTRUCT. -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.3.0-1-grsec-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
