Feature changed by: Karl Eichwalder (keichwa) Feature #313171, revision 11 Title: enable full heap randomisation openSUSE Distribution: Evaluation by project manager Priority Requester: Important Requested by: Ludwig Nussel (lnussel) Partner organization: openSUSE.org Description: set kernel.randomize_va_space=2 to enable full heap randomisation. Citing sysctl/kernel.txt: 2 - Additionally enable heap randomization. This is the default if CONFIG_COMPAT_BRK is disabled. There are a few legacy applications out there (such as some ancient versions of libc.so. 5 from 1996) that assume that brk area starts just after the end of the code+bss. These applications break when start of the brk area is randomized. There are however no known non-legacy applications that would be broken this way, so for most systems it is safe to choose full randomization. Systems with ancient and/or broken binaries should be configured with CONFIG_COMPAT_BRK enabled, which excludes the heap from process address space randomization. Documentation Impact: RN Discussion: #1: Jan Engelhardt (jengelh) (2012-02-05 15:26:45) At the same time, what about setting CONFIG_COMPAT_VDSO to disabled as well? #2: Marcus Meissner (msmeissn) (2012-02-05 19:12:56) (reply to #1) Security is all in favour of that. #3: Andreas Jaeger (a_jaeger) (2012-02-29 12:07:05) Let's go for it... + Release Notes: Enabling Full Heap Randomization + Solution: + [All architectures] CONFIG_COMPAT_BRK has been disabled to allow + randomisation of the start address of the userspace heap. This can + break old binaries based on libc5. To revert to the old behavior, set + the kernel.randomize_va_space sysctl to 2. + [x86_64 only] CONFIG_COMPAT_VDSO has been disabled to enforce + randomization of the VDSO address of 32bit binaries on x86_64. This can + break 32bit binaries using glibc < 2.3.3. To revert to the old + behavior, specify vdso=2 on the kernel command line. -- openSUSE Feature: https://features.opensuse.org/313171