use of GRKERNSEC_HIDESYM in an rpm
Posted:
Wed Apr 09, 2008 5:58 pmby cormander
Hello,
I was reading the information on CONFIG_GRKERNSEC_HIDESYM and one of the gotchas of this feature iss:
- Code: Select all
1) The kernel using grsecurity is not precompiled by some distribution
I am wondering now if I should even bother enabling this option, since I am distributing a precompiled grsecurity kernel in rpm format.
Thoughts?
Re: use of GRKERNSEC_HIDESYM in an rpm
Posted:
Wed Apr 09, 2008 7:14 pmby spender
Its usefulness is limited in that once an attacker is able to determine the rpm used to provide the kernel, they can determine the symbols themselves. Of course, its usefulness in this case isn't as severely limited as it would be if the rpm was provided by a large distribution.
-Brad
Re: use of GRKERNSEC_HIDESYM in an rpm
Posted:
Wed Apr 09, 2008 9:13 pmby cormander
Hmm. I think I'll turn it off. The thing that finalized this decision for me was remembering what you said in this thread:
viewtopic.php?f=1&t=1928&p=7795It might be awfully bad to distribute a kernel that users couldn't produce an "oops" report with. I'd think you'd agree, since an oops on a grsecurity kernel is bound to end up back here on these forums.
Thanks for the feedback.
Re: use of GRKERNSEC_HIDESYM in an rpm
Posted:
Fri Apr 11, 2008 12:35 pmby cormander
I wonder... doesn't the use of GRKERNSEC_HIDESYM make CONFIG_DEBUG useless? If so, should enabling GRKERNSEC_HIDESYM disable CONFIG_DEBUG, or vice versa?