CONFIG_DEBUG_RODATA

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

CONFIG_DEBUG_RODATA

Postby blackelf » Thu Dec 21, 2006 7:31 pm

There is now a kernel option in kernel hascking that protects some parts of kernel
making it read only - CONFIG_DEBUG_RODATA

Whas is relation of that function to protection provided by grsecurity (KEXEC?)
Should I turn it on (to have even more extra protection for cost of small performence impact)
Must it be turned off since its conflicting
Or is it the same thing?
blackelf
 
Posts: 1
Joined: Wed Dec 20, 2006 10:08 pm

Re: CONFIG_DEBUG_RODATA

Postby PaX Team » Fri Dec 22, 2006 5:52 am

blackelf wrote:There is now a kernel option in kernel hascking that protects some parts of kernel
making it read only - CONFIG_DEBUG_RODATA

Whas is relation of that function to protection provided by grsecurity (KEXEC?)
Should I turn it on (to have even more extra protection for cost of small performence impact)
Must it be turned off since its conflicting
Or is it the same thing?
RODATA is a (small) subset of KERNEXEC, and due to implementation details, they're mutually exclusive (the .config system enforces it). basically, RODATA is a step towards more robustness, not security, whereas KERNEXEC is explicitly security oriented and it happens to enforce read-only kernel pages among others.
PaX Team
 
Posts: 2310
Joined: Mon Mar 18, 2002 4:35 pm

Postby Dr_Napalm » Tue Dec 26, 2006 7:52 pm

Today i had a problem with grsecurity-2.1.9-2.6.19.1-200612121859.patch on 2.6.19.1-vanilla

I had set CONFIG_DEBUG_RODATA set from an old config and the config-system did not unset it !

The compile went ok but upon boot i got a crash in "rwsem.c" on line 20 !

(I tried FC6 and RH4 with latest patches)

Some bug in the config-logic or rathead-tools maybe?
Dr_Napalm
 
Posts: 14
Joined: Tue Sep 02, 2003 3:44 am


Return to grsecurity support