Author: pluto Date: Tue Dec 2 01:08:39 2008 New Revision: 10019 Modified: rc-scripts/trunk/sysctl.conf Log: - describe kernel.randomize_va_space feature.
Modified: rc-scripts/trunk/sysctl.conf ============================================================================== --- rc-scripts/trunk/sysctl.conf (original) +++ rc-scripts/trunk/sysctl.conf Tue Dec 2 01:08:39 2008 @@ -186,18 +186,20 @@ #kernel.grsecurity.disable_modules = 0 #kernel.grsecurity.grsec_lock = 0 -# -# Exec-Shield (kernel 2.6 only). -# -# Turn on randomization -#kernel.exec-shield-randomize = 1 -# -# exec-shield=0 - always-disabled -# exec-shield=1 - default disabled, except binaries that enable it -# exec-shield=2 - default enabled, except binaries that disable it -# exec-shield=3 - always-enabled -# -#kernel.exec-shield = 2 +kernel.randomize_va_space = 2 +# 0 - Turn the process address space randomization off by default. +# 1 - Conservative address space randomization makes the addresses of +# mmap base and VDSO page randomized. This, among other things, +# implies that shared libraries will be loaded to random addresses. +# Also for PIE binaries, the location of code start is randomized. +# 2 - This includes all the features that Conservative randomization +# provides. In addition to that, also start of the brk area is randomized. +# There a few legacy applications out there (such as some ancient +# versions of libc.so.5 from 1996) that assume that brk area starts +# just after the end of the code+bss. These applications break when +# start of the brk area is randomized. There are however no known +# non-legacy applications that would be broken this way, so for most +# systems it is safe to choose Full randomization. # for mplayer #dev.rtc.max-user-freq = 1024 _______________________________________________ pld-cvs-commit mailing list [email protected] http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit
