Commit b7f5ab6f authored by Horst Schirmeier's avatar Horst Schirmeier Committed by Jiri Kosina

trivial: doc: document missing value 2 for randomize-va-space

The documentation for /proc/sys/kernel/* does not mention the possible
value 2 for randomize-va-space yet.  While being there, doing some
reformatting, fixing grammar problems and clarifying the correlations
between randomize-va-space, kernel parameter "norandmaps" and the
CONFIG_COMPAT_BRK option.
Signed-off-by: default avatarHorst Schirmeier <horst@schirmeier.com>
Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
parent 627df23c
...@@ -319,25 +319,29 @@ This option can be used to select the type of process address ...@@ -319,25 +319,29 @@ This option can be used to select the type of process address
space randomization that is used in the system, for architectures space randomization that is used in the system, for architectures
that support this feature. that support this feature.
0 - Turn the process address space randomization off by default. 0 - Turn the process address space randomization off. This is the
default for architectures that do not support this feature anyways,
and kernels that are booted with the "norandmaps" parameter.
1 - Make the addresses of mmap base, stack and VDSO page randomized. 1 - Make the addresses of mmap base, stack and VDSO page randomized.
This, among other things, implies that shared libraries will be This, among other things, implies that shared libraries will be
loaded to random addresses. Also for PIE-linked binaries, the location loaded to random addresses. Also for PIE-linked binaries, the
of code start is randomized. location of code start is randomized. This is the default if the
CONFIG_COMPAT_BRK option is enabled.
With heap randomization, the situation is a little bit more 2 - Additionally enable heap randomization. This is the default if
complicated. CONFIG_COMPAT_BRK is disabled.
There a few legacy applications out there (such as some ancient
There are a few legacy applications out there (such as some ancient
versions of libc.so.5 from 1996) that assume that brk area starts versions of libc.so.5 from 1996) that assume that brk area starts
just after the end of the code+bss. These applications break when just after the end of the code+bss. These applications break when
start of the brk area is randomized. There are however no known start of the brk area is randomized. There are however no known
non-legacy applications that would be broken this way, so for most non-legacy applications that would be broken this way, so for most
systems it is safe to choose full randomization. However there is systems it is safe to choose full randomization.
a CONFIG_COMPAT_BRK option for systems with ancient and/or broken
binaries, that makes heap non-randomized, but keeps all other Systems with ancient and/or broken binaries should be configured
parts of process address space randomized if randomize_va_space with CONFIG_COMPAT_BRK enabled, which excludes the heap from process
sysctl is turned on. address space randomization.
============================================================== ==============================================================
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment