Hajime Inoue <[EMAIL PROTECTED]> writes: > Just protecting the table does not stop rootkits. A highly referenced > phrack article explains how to bypass the table.
During .23-pre for some time the kernel text was protected too (that would have likely stopped that particular attack), but it was removed because it caused too many problems. Ultimatively it is useless for security anyways because the page tables cannot be protected (because there are valid reasons to change them). If they're not protected any protection can be undone by changing them or simply creating an alias mapping. Also the Linux kernel has function pointers in read-write data structures which could also be used to inject code. So even with Alan's hypervisor support the whole thing would be still quite holey. The argument of raising the bar also doesn't seem very convincing to me, because attackers reuse code too and it's enough when someone publishes such code once, then they can cut'n'paste it into any exploits forever. In general the .data protection is only considered a debugging feature. I don't know why Fedora enables it in their production kernels. BTW I tested your test case and it works for me on 2.6.23rc3 with DEBUG_RODATA enabled on i386/PAE. Without DEBUG_RODATA it BUGs, but that's because the c_p_a interface is somewhat clumpsy and expects balanced changes. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
