Re: Switch on compiler hardening defaults
On Mon, Oct 26, 2009 at 09:41:59PM +0100, Christoph Anton Mitterer wrote:
> Ever thought about integrating PaX [0] per default in Debian?
What features does the grsecurity patch provide currently? I know that
several of the mentioned PaX features are supported in vanilla kernel in
the meantime:
- Non-executable memory on x86-32 with PAE.
- Randomized stack and heap bases.
- /dev/mem is highly restricted now, /dev/kmem removed.
What would be a step forward:
- Move all newer x86 32bit machines to PAE to support non-executable
pages.
- Make any code PIC, including binaries (PIE) and static libs.
> I'm however not sure how much this actually breaks ;)
It takes to much compile time configuration, so don't even think about
it.
Bastian
--
Phasers locked on target, Captain.
Reply to: