OS-5879: lxbrand should expose ASLR via sysctl

Details

Issue Type:Improvement
Priority:4 - Normal
Status:Open
Created at:2016-12-29T20:55:44.000Z
Updated at:2019-11-07T21:02:20.548Z

People

Created by:Former user
Reported by:Former user

Related Links

Labels

lxbrand

Description

Now that initial ASLR support has landed, it would be nice to expose it via the kernel.randomize_va_space sysctl in LX.

Comments

Comment by Former user
Created at 2016-12-30T00:44:23.000Z

Dillon did some research on the default ASLR behavior in Linux:

It looks like on linux, randomize_vaspace has been default to 2 when building the kernel since commit 32a932332c8bad842804842eaf9651ad6268e637 in 2008. Before that it defaulted to 1 in the same way.
I checked Alpine Standard 3.5.0, Ubuntu 14.04, Ubuntu 16.04, Centos 6, and Centos 7. They all were set to 2, as far as I can tell due to the kernel default. None had entries in /etc/sysctl.conf (or anywhere else in /etc)
In addition I searched the source of systemd for references to randomize_vaspace, which did not turn anything up.

As a result, I believe this should be safe to integrate. I also believe SmartOS should default LX zones to having security-flags.default=aslr (at minimum), which will need to be done in smartos (vmapi?) as opposed to illumos-joyent

According to 'git tag --contains', 2.6.25 was the first release with VA randomization enabled by default.