[CentOS-devel] Need info about kernel file "randomize_va_space"

Fri Jun 28 10:25:52 UTC 2019
Maheshwari, Shagun <Shagun.Maheshwari at Harman.com>

Hi,

>> The file "/proc/sys/kernel/randomize_va_space" has write permission for user as below:
>> [root at shagun ~]# ls -lrtZ /proc/sys/kernel/randomize_va_space
>> rw-r--r--. root root system_u:object_r:proc_security_t:s0 /proc/sys/kernel/randomize_va_space
>> 
>> If we want to change this permission to read only permission for the user. Is it possible?
>> 
>> And i found the code also:
>> 
>> kernel/sysctl.c @@ -1130,7 +1130,11 @@ static struct ctl_table kern_table[] = { .procname = "randomize_va_space", .data = &randomize_va_space, .maxlen = sizeof(int), +#ifdef CONFIG_ASLR_SYSCTL_READ_ONLY + .mode = 0444, +#else .mode = 0644, +#endif
>> 
>> Can we make it as 0444, currently randomize_va_space is 644?

> Any changes to the kernel should be requested through
> https://clicktime.symantec.com/3KpmXJbD9xEqbGPHpBNCtpd7Vc?u=https%3A%2F%2Fbugzilla.redhat.com%2F for RHEL7's kernel package.

> Why do you want root to not be able to write to that sysctl? Do you
> not want it to be able to be modified?

Because While running dASLR tool, "randomize_va_space unconfigurable" test in "Kernel Check" is FAILED. 

As per support for dASLR tool, "randomize_va_space_unconfigurable" fail means that "/proc/sys/kernel/randomize_va_space" has write permission.

Regards,
Shagun