View previous topic :: View next topic |
Author |
Message |
Shadow_Fury Tux's lil' helper
Joined: 20 Apr 2021 Posts: 138 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sat Jan 28, 2023 10:44 pm Post subject: best approach to W^X |
|
|
i was just wondering, what the best approach to enforcing W^X is, and which (if any) are enabled by default.
the article above mentions that SElinux can enforce it, but i was wondering if there are any alternatives, and which (if any) are safe to apply system wide |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Sun Jan 29, 2023 12:03 am Post subject: |
|
|
One part of the solution is: enable CONFIG_STRICT_KERNEL_RWX in your kernel config.
Code: | CONFIG_STRICT_KERNEL_RWX:
If this is set, kernel text and rodata memory will be made read-only,
and non-text memory will be made non-executable. This provides
protection against certain security exploits (e.g. executing the heap
or modifying text)
These features are considered standard security practice these days.
You should say Y here in almost all cases.
Symbol: STRICT_KERNEL_RWX [=y]
Type : bool
Defined at arch/Kconfig:1243
Prompt: Make kernel text and rodata read-only
Depends on: ARCH_HAS_STRICT_KERNEL_RWX [=y]
Visible if: ARCH_HAS_STRICT_KERNEL_RWX [=y] && ARCH_OPTIONAL_KERNEL_RWX [=n]
Location:
-> General architecture-dependent options
-> Make kernel text and rodata read-only (STRICT_KERNEL_RWX [=y])
|
|
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|