Hi,
The file "/proc/sys/kernel/randomize_va_space" has write permission for user as below: [root@shagun ~]# ls -lrtZ /proc/sys/kernel/randomize_va_space rw-r--r--. root root system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space
If we want to change this permission to read only permission for the user. Is it possible?
And i found the code also:
kernel/sysctl.c @@ -1130,7 +1130,11 @@ static struct ctl_table kern_table[] = { .procname = "randomize_va_space", .data = &randomize_va_space, .maxlen = sizeof(int), +#ifdef CONFIG_ASLR_SYSCTL_READ_ONLY + .mode = 0444, +#else .mode = 0644, +#endif
Can we make it as 0444, currently randomize_va_space is 644?
Please suggest.
Regards, Shagun
On Wed, Jun 26, 2019 at 08:36:22AM +0000, Maheshwari, Shagun wrote:
The file "/proc/sys/kernel/randomize_va_space" has write permission for user as below: [root@shagun ~]# ls -lrtZ /proc/sys/kernel/randomize_va_space rw-r--r--. root root system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space
If we want to change this permission to read only permission for the user. Is it possible?
And i found the code also:
kernel/sysctl.c @@ -1130,7 +1130,11 @@ static struct ctl_table kern_table[] = { .procname = "randomize_va_space", .data = &randomize_va_space, .maxlen = sizeof(int), +#ifdef CONFIG_ASLR_SYSCTL_READ_ONLY + .mode = 0444, +#else .mode = 0644, +#endif
Can we make it as 0444, currently randomize_va_space is 644?
Any changes to the kernel should be requested through https://bugzilla.redhat.com/ for RHEL7's kernel package.
Why do you want root to not be able to write to that sysctl? Do you not want it to be able to be modified?