| View previous topic :: View next topic |
| Author |
Message |
Shadow_Fury
Tux's lil' helper
Joined: 20 Apr 2021
Posts: 138
Location: 11.435765792823453, 143.05926743686274
|
 Posted: Sat Jan 28, 2023 10:44 pm Post subject: best approach to W^X |
 |
|
i was just wondering, what the best approach to enforcing W^X is, and which (if any) are enabled by default.
the article above mentions that SElinux can enforce it, but i was wondering if there are any alternatives, and which (if any) are safe to apply system wide |
|
| Back to top |
|
 |
mike155
Advocate
Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany
|
| Posted: Sun Jan 29, 2023 12:03 am Post subject: |
|
|
One part of the solution is: enable CONFIG_STRICT_KERNEL_RWX in your kernel config.
| Code: | CONFIG_STRICT_KERNEL_RWX:
If this is set, kernel text and rodata memory will be made read-only,
and non-text memory will be made non-executable. This provides
protection against certain security exploits (e.g. executing the heap
or modifying text)
These features are considered standard security practice these days.
You should say Y here in almost all cases.
Symbol: STRICT_KERNEL_RWX [=y]
Type : bool
Defined at arch/Kconfig:1243
Prompt: Make kernel text and rodata read-only
Depends on: ARCH_HAS_STRICT_KERNEL_RWX [=y]
Visible if: ARCH_HAS_STRICT_KERNEL_RWX [=y] && ARCH_OPTIONAL_KERNEL_RWX [=n]
Location:
-> General architecture-dependent options
-> Make kernel text and rodata read-only (STRICT_KERNEL_RWX [=y])
|
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
