grsecurity forums

[cormander]

Hello,

I was reading the information on CONFIG_GRKERNSEC_HIDESYM and one of the gotchas of this feature iss:

Code: Select all

1) The kernel using grsecurity is not precompiled by some distribution


I am wondering now if I should even bother enabling this option, since I am distributing a precompiled grsecurity kernel in rpm format.

Thoughts?

[spender]

Its usefulness is limited in that once an attacker is able to determine the rpm used to provide the kernel, they can determine the symbols themselves. Of course, its usefulness in this case isn't as severely limited as it would be if the rpm was provided by a large distribution.

-Brad

[cormander]

Hmm. I think I'll turn it off. The thing that finalized this decision for me was remembering what you said in this thread:

viewtopic.php?f=1&t=1928&p=7795

It might be awfully bad to distribute a kernel that users couldn't produce an "oops" report with. I'd think you'd agree, since an oops on a grsecurity kernel is bound to end up back here on these forums.

Thanks for the feedback.

[cormander]

I wonder... doesn't the use of GRKERNSEC_HIDESYM make CONFIG_DEBUG useless? If so, should enabling GRKERNSEC_HIDESYM disable CONFIG_DEBUG, or vice versa?