use of GRKERNSEC_HIDESYM in an rpm

Discuss usability issues, general maintenance, and general support issues for a grsecurity-enabled system.

use of GRKERNSEC_HIDESYM in an rpm

Postby cormander » Wed Apr 09, 2008 5:58 pm

Hello,

I was reading the information on CONFIG_GRKERNSEC_HIDESYM and one of the gotchas of this feature iss:

Code: Select all
1) The kernel using grsecurity is not precompiled by some distribution


I am wondering now if I should even bother enabling this option, since I am distributing a precompiled grsecurity kernel in rpm format.

Thoughts?
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: use of GRKERNSEC_HIDESYM in an rpm

Postby spender » Wed Apr 09, 2008 7:14 pm

Its usefulness is limited in that once an attacker is able to determine the rpm used to provide the kernel, they can determine the symbols themselves. Of course, its usefulness in this case isn't as severely limited as it would be if the rpm was provided by a large distribution.

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm

Re: use of GRKERNSEC_HIDESYM in an rpm

Postby cormander » Wed Apr 09, 2008 9:13 pm

Hmm. I think I'll turn it off. The thing that finalized this decision for me was remembering what you said in this thread:

viewtopic.php?f=1&t=1928&p=7795

It might be awfully bad to distribute a kernel that users couldn't produce an "oops" report with. I'd think you'd agree, since an oops on a grsecurity kernel is bound to end up back here on these forums.

Thanks for the feedback.
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm

Re: use of GRKERNSEC_HIDESYM in an rpm

Postby cormander » Fri Apr 11, 2008 12:35 pm

I wonder... doesn't the use of GRKERNSEC_HIDESYM make CONFIG_DEBUG useless? If so, should enabling GRKERNSEC_HIDESYM disable CONFIG_DEBUG, or vice versa?
cormander
 
Posts: 154
Joined: Tue Jan 29, 2008 12:51 pm


Return to grsecurity support