Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 5 May 2023 11:23:24 -0400
From: Paul Moore <>
To: David Hildenbrand <>
Cc: Sam James <>, Michael McCracken <>,,,, 
	Luis Chamberlain <>, Kees Cook <>, 
	Iurii Zaikin <>, Andrew Morton <>,,,
Subject: Re: [PATCH] sysctl: add config to make randomize_va_space RO

On Fri, May 5, 2023 at 11:15 AM David Hildenbrand <> wrote:
> On 05.05.23 09:46, Sam James wrote:
> > David Hildenbrand <> writes:
> >> On 04.05.23 23:30, Michael McCracken wrote:
> >>> Add config RO_RANDMAP_SYSCTL to set the mode of the randomize_va_space
> >>> sysctl to 0444 to disallow all runtime changes. This will prevent
> >>> accidental changing of this value by a root service.
> >>> The config is disabled by default to avoid surprises.


> If we really care, not sure what's better: maybe we want to disallow
> disabling it only in a security lockdown kernel?

If we're bringing up the idea of Lockdown, controlling access to
randomize_va_space is possible with the use of LSMs.  One could easily
remove write access to randomize_va_space, even for tasks running as

(On my Rawhide system with SELinux enabled)
% ls -Z /proc/sys/kernel/randomize_va_space
system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.