1 |
lnxg33k wrote: |
2 |
> Matt Poletiek wrote: |
3 |
>> However, this time (on the dual p3 system) paxtest is still able to do |
4 |
>> a lot.... |
5 |
> <snip> |
6 |
>> # Sysctl support |
7 |
>> # |
8 |
>> CONFIG_GRKERNSEC_SYSCTL=y |
9 |
>> CONFIG_GRKERNSEC_SYSCTL_ON=y |
10 |
> |
11 |
> I believe this is the problem here. sysctl is used to modify the kernel |
12 |
> so by enabling its usage, one can essentially have their way. If you |
13 |
> disable sysctl support, it will probably fix most of those vulnerabilities. |
14 |
|
15 |
Not true - the grsecurity settings can't be modified via sysctl once |
16 |
kernel.grsecurity.grsec_lock is set. |
17 |
|
18 |
That said, I do not have grsec sysctl support enabled in any of my kernels. |
19 |
|
20 |
Cheers |
21 |
|
22 |
Andrew |