If you say Y here, getting information on loaded modules, and
displaying all kernel symbols through a syscall will be restricted
to users with CAP_SYS_MODULE. For software compatibility reasons,
/proc/kallsyms will be restricted to the root user. The RBAC
system can hide that entry even from root.
This option also prevents leaking of kernel addresses through
several /proc entries.
Note that this option is only effective provided the following
conditions are met:
- The kernel using grsecurity is not precompiled by some distribution
- You have also enabled GRKERNSEC_DMESG
- You are using the RBAC system and hiding other files such as your
kernel image and System.map. Alternatively, enabling this option
causes the permissions on /boot, /lib/modules, and the kernel
source directory to change at compile time to prevent
reading by non-root users.
If the above conditions are met, this option will aid in providing a
useful protection against local kernel exploitation of overflows
and arbitrary read/write vulnerabilities.
It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
in addition to this feature.
Is hiding kernel symbols even possible without grsecurity?
security-misc is already deleting system.map files and restricts
kallsyms. Soon we’ll implement make /boot and /lib/modules unreadable for non-root users and maybe even make /boot and /lib/modules unreadable even for root.
and the kernel source directory
Why even the kernel source directory should be hidden?
One idea of kernel recompilation for better hardening was the recompile on the users machine so the kernel would be uniquely compiled and kernel symbols would stay hidden, Rather than using Debian public kernel (from packages.debian.org) which has public well known kernel symbols.
But Debian is working towards reproducible builds. Thereby when compiling the Debian kernel on the user’s machine, it is likely the user would end up with a byte identical versions.
Could we use a reproducibility build kernel and then somehow instruct the kernel (through a kernel parameter or something) automagically randomize its kernel symbols addresses?