can sbcl run on a grsecurity hardened kernel?

Discussion of Common Lisp
Post Reply
globaltree
Posts: 3
Joined: Mon Jul 25, 2016 2:07 pm

can sbcl run on a grsecurity hardened kernel?

Post by globaltree » Fri Aug 05, 2016 9:14 pm

In an effort to harden a hunchentoot server, I rebuilt the kernel with the patch from https://grsecurity.net/.
This broke sbcl. Here's what happens when I try to open an repl:

Code: Select all

globaltree@lispbox:~$ sbcl
mmap: Operation not permitted
ensure_space: failed to validate 1040384 bytes at 0x20000000
(hint: Try "ulimit -a"; maybe you should increase memory limits.)
globaltree@lispbox:~$
Googling reveals that I'm not alone:

https://archives.gentoo.org/gentoo-hard ... d7ba4c74fa
https://bugs.launchpad.net/sbcl/+bug/1523213
viewtopic.php?f=2&t=18

Lukasz Janyst wrote a patch to fix this:
After some investigation, it turned out that DreamHost uses grsecurity kernel patches and, it looks like, their implementation of ASLR (Address Space Layout Randomization) does not respect the ADDR_NO_RANDOMIZE personality that is indeed set by sbcl at startup. They still allow the memory to be mapped at a specific location, which is a requirement for sbcl, if the MAP_FIXED flag is passed to mmap . The patch fixing this problem was a fairly simple one once I figured out what's going on. It looks like it will be included in sbcl 1.3.2. Until then, you will have to recompile the sources yourself.
(from http://jany.st/tag/sbcl.html).

I have recompiled sbcl with his patch, but to no avail. I also recompiled sbcl with compile time features: --with-high-secuirty and --with-high-security-support, also to no avail. I rebuilt the kernel, trying to disable the randomization features of grsecurity, but to no avail. I first set grsecurity to auto, kvm, server, guest, and saved config. Then I edited config and disabled options related to ASLR. Following is the secuirty-related part of my kernel .config file, which I include, hoping for suggestions on other options to tweak, that might enable sbcl and grsecurity to be friends:

Code: Select all

#                                                                                                                                                                                                      
# Security options                                                                                                                                                                                     
#                                                                                                                                                                                                      

#                                                                                                                                                                                                      
# Grsecurity                                                                                                                                                                                           
#                                                                                                                                                                                                      
CONFIG_PAX_PER_CPU_PGD=y
CONFIG_TASK_SIZE_MAX_SHIFT=42
CONFIG_PAX_USERCOPY_SLABS=y
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_CONFIG_AUTO is not set                                                                                                                                                              
CONFIG_GRKERNSEC_CONFIG_CUSTOM=y
CONFIG_GRKERNSEC_PROC_GID=1001
CONFIG_GRKERNSEC_TPE_UNTRUSTED_GID=1005
CONFIG_GRKERNSEC_SYMLINKOWN_GID=1006

#                                                                                                                                                                                                      
# Customize Configuration                                                                                                                                                                              
#                                                                                                                                                                                                      

#                                                                                                                                                                                                      
# PaX                                                                                                                                                                                                  
#                                                                                                                                                                                                      
CONFIG_PAX=y

#                                                                                                                                                                                                      
# PaX Control                                                                                                                                                                                          
#                                                                                                                                                                                                      
# CONFIG_PAX_SOFTMODE is not set                                                                                                                                                                       
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set                                                                                                                                                                   
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set                                                                                                                                                                 

#                                                                                                                                                                                                      
# Non-executable pages                                                                                                                                                                                 
#                                                                                                                                                                                                      
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
# Customize Configuration                                                                                                                                                                              
#                                                                                                                                                                                                      

#                                                                                                                                                                                                      
# PaX                                                                                                                                                                                                  
#                                                                                                                                                                                                      
CONFIG_PAX=y

#                                                                                                                                                                                                      
# PaX Control                                                                                                                                                                                          
#                                                                                                                                                                                                      
# CONFIG_PAX_SOFTMODE is not set                                                                                                                                                                       
CONFIG_PAX_EI_PAX=y
CONFIG_PAX_PT_PAX_FLAGS=y
CONFIG_PAX_XATTR_PAX_FLAGS=y
# CONFIG_PAX_NO_ACL_FLAGS is not set                                                                                                                                                                   
CONFIG_PAX_HAVE_ACL_FLAGS=y
# CONFIG_PAX_HOOK_ACL_FLAGS is not set                                                                                                                                                                 

#                                                                                                                                                                                                      
# Non-executable pages                                                                                                                                                                                 
#                                                                                                                                                                                                      
CONFIG_PAX_NOEXEC=y
CONFIG_PAX_PAGEEXEC=y
CONFIG_PAX_EMUTRAMP=y
CONFIG_PAX_MPROTECT=y
# CONFIG_PAX_MPROTECT_COMPAT is not set                                                                                                                                                                
# CONFIG_PAX_ELFRELOCS is not set                                                                                                                                                                      
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set                                                                                                                                                    
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set                                                                                                                                                      

#                                                                                                                                                                                                      
# Address Space Layout Randomization                                                                                                                                                                   
#                                                                                                                                                                                                      
# CONFIG_PAX_ASLR is not set                                                                                                                                                                           
# CONFIG_PAX_RANDKSTACK is not set                                                                                                                                                                     

#                                                                                                                                                                                                      
# Miscellaneous hardening features                                                                                                                                                                     
#                                                                                                                                                                                                      
# CONFIG_PAX_MEMORY_SANITIZE is not set                                                                                                                                                                
# CONFIG_PAX_MEMORY_STACKLEAK is not set                                                                                                                                                               
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set                                                                                                                                                              
# CONFIG_PAX_MEMORY_UDEREF is not set                                                                                                                                                                  
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set    
# CONFIG_PAX_MPROTECT_COMPAT is not set                                                                                                                                                                
# CONFIG_PAX_ELFRELOCS is not set                                                                                                                                                                      
CONFIG_PAX_KERNEXEC=y
CONFIG_PAX_KERNEXEC_PLUGIN=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_NONE is not set                                                                                                                                                    
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS=y
# CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR is not set                                                                                                                                                      

#                                                                                                                                                                                                      
# Address Space Layout Randomization                                                                                                                                                                   
#                                                                                                                                                                                                      
# CONFIG_PAX_ASLR is not set                                                                                                                                                                           
# CONFIG_PAX_RANDKSTACK is not set                                                                                                                                                                     

#                                                                                                                                                                                                      
# Miscellaneous hardening features                                                                                                                                                                     
#                                                                                                                                                                                                      
# CONFIG_PAX_MEMORY_SANITIZE is not set                                                                                                                                                                
# CONFIG_PAX_MEMORY_STACKLEAK is not set                                                                                                                                                               
# CONFIG_PAX_MEMORY_STRUCTLEAK is not set                                                                                                                                                              
# CONFIG_PAX_MEMORY_UDEREF is not set                                                                                                                                                                  
CONFIG_PAX_REFCOUNT=y
CONFIG_PAX_CONSTIFY_PLUGIN=y
CONFIG_PAX_USERCOPY=y
# CONFIG_PAX_USERCOPY_DEBUG is not set                                                                                                                                                                 
CONFIG_PAX_SIZE_OVERFLOW=y
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_PAX_RAP=y

#                                                                                                                                                                                                      
# Memory Protections                                                                                                                                                                                   
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set                                                                                                                                                              
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_RANDSTRUCT is not set                                                                                                                                                               
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#                                                                                                                                                                                                      
# Role Based Access Control Options                                                                                                                                                                    
#                                                                                                                                                                                                      
# CONFIG_GRKERNSEC_NO_RBAC is not set                                                                                                                                                                  
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set                                                                                                                                                             
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_PAX_LATENT_ENTROPY=y
CONFIG_PAX_RAP=y

#                                                                                                                                                                                                      
# Memory Protections                                                                                                                                                                                   
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_BPF_HARDEN=y
CONFIG_GRKERNSEC_PERF_HARDEN=y
# CONFIG_GRKERNSEC_PROC_MEMMAP is not set                                                                                                                                                              
CONFIG_GRKERNSEC_KSTACKOVERFLOW=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
# CONFIG_GRKERNSEC_RANDSTRUCT is not set                                                                                                                                                               
CONFIG_GRKERNSEC_KERN_LOCKOUT=y

#                                                                                                                                                                                                      
# Role Based Access Control Options                                                                                                                                                                    
#                                                                                                                                                                                                      
# CONFIG_GRKERNSEC_NO_RBAC is not set                                                                                                                                                                  
# CONFIG_GRKERNSEC_ACL_HIDEKERN is not set                                                                                                                                                             
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30

#                                                                                                                                                                                                      
# Filesystem Protections                                                                                                                                                                               
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set                                                                                                                                                                
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set                                                                                                                                                                     
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
# Filesystem Protections                                                                                                                                                                               
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set                                                                                                                                                                
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_SYMLINKOWN=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_SYSFS_RESTRICT=y
# CONFIG_GRKERNSEC_ROFS is not set                                                                                                                                                                     
CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_RENAME=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y

#                                                                                                                                                                                                      
# Kernel Auditing                                                                                                                                                                                      
#                                                                                                                                                                                                      
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set                                                                                                                                                              
# CONFIG_GRKERNSEC_EXECLOG is not set                                                                                                                                                                  
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set                                                                                                                                                           
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set                                                                                                                                                             
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set                                                                                                                                                              
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set                                                                                                                                                              
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set                                                                                                                                                                 
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y

#                                                                                                                                                                                                      
# Executable Protections                                                                                                                                                                               
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
CONFIG_GRKERNSEC_CHROOT_INITRD=y

#                                                                                                                                                                                                      
# Kernel Auditing                                                                                                                                                                                      
#                                                                                                                                                                                                      
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set                                                                                                                                                              
# CONFIG_GRKERNSEC_EXECLOG is not set                                                                                                                                                                  
CONFIG_GRKERNSEC_RESLOG=y
# CONFIG_GRKERNSEC_CHROOT_EXECLOG is not set                                                                                                                                                           
# CONFIG_GRKERNSEC_AUDIT_PTRACE is not set                                                                                                                                                             
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set                                                                                                                                                              
# CONFIG_GRKERNSEC_AUDIT_MOUNT is not set                                                                                                                                                              
CONFIG_GRKERNSEC_SIGNAL=y
# CONFIG_GRKERNSEC_FORKFAIL is not set                                                                                                                                                                 
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
CONFIG_GRKERNSEC_RWXMAP_LOG=y

#                                                                                                                                                                                                      
# Executable Protections                                                                                                                                                                               
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_DMESG=y
CONFIG_GRKERNSEC_HARDEN_PTRACE=y
CONFIG_GRKERNSEC_PTRACE_READEXEC=y
CONFIG_GRKERNSEC_SETXID=y
CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set                                                                                                                                                                  
# CONFIG_GRKERNSEC_TPE_INVERT is not set                                                                                                                                                               
CONFIG_GRKERNSEC_TPE_GID=1005

#                                                                                                                                                                                                      
# Network Protections                                                                                                                                                                                  
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set                                                                                                                                                                   

#                                                                                                                                                                                                      
# Physical Protections                                                                                                                                                                                 
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set                                                                                                                                                            

#                                                                                                                                                                                                      
# Sysctl Support                                                                                                                                                                                       
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set    

CONFIG_GRKERNSEC_HARDEN_IPC=y
CONFIG_GRKERNSEC_HARDEN_TTY=y
CONFIG_GRKERNSEC_TPE=y
# CONFIG_GRKERNSEC_TPE_ALL is not set                                                                                                                                                                  
# CONFIG_GRKERNSEC_TPE_INVERT is not set                                                                                                                                                               
CONFIG_GRKERNSEC_TPE_GID=1005
#                                                                                                                                                                                                      
# Network Protections                                                                                                                                                                                  
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_BLACKHOLE=y
CONFIG_GRKERNSEC_NO_SIMULT_CONNECT=y
# CONFIG_GRKERNSEC_SOCKET is not set                                                                                                                                                                   

#                                                                                                                                                                                                      
# Physical Protections                                                                                                                                                                                 
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_DENYUSB=y
# CONFIG_GRKERNSEC_DENYUSB_FORCE is not set                                                                                                                                                            

#                                                                                                                                                                                                      
# Sysctl Support                                                                                                                                                                                       
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_SYSCTL=y
# CONFIG_GRKERNSEC_SYSCTL_DISTRO is not set                                                                                                                                                            
CONFIG_GRKERNSEC_SYSCTL_ON=y

#                                                                                                                                                                                                      
# Logging Options                                                                                                                                                                                      
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set                                                                                                                                                                
# CONFIG_BIG_KEYS is not set                                                                                                                                                                           
CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
# CONFIG_SECURITY_PATH is not set                                                                                                                                                                      
# CONFIG_INTEL_TXT is not set                                                                                                                                                                          
# CONFIG_SECURITY_SELINUX is not set                                                                                                                                                                   
# CONFIG_SECURITY_SMACK is not set                                                                                                                                                                     
# CONFIG_SECURITY_TOMOYO is not set                                                                                                                                                                    
# CONFIG_SECURITY_APPARMOR is not set                                                                                                                                                                  
# CONFIG_INTEGRITY is not set                                                                                                                                                                          
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
#                                                                                                                                                                                                      
# Logging Options                                                                                                                                                                                      
#                                                                                                                                                                                                      
CONFIG_GRKERNSEC_FLOODTIME=10
CONFIG_GRKERNSEC_FLOODBURST=6
CONFIG_KEYS=y
# CONFIG_PERSISTENT_KEYRINGS is not set                                                                                                                                                                
# CONFIG_BIG_KEYS is not set                                                                                                                                                                           
CONFIG_TRUSTED_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
CONFIG_SECURITY_DMESG_RESTRICT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
# CONFIG_SECURITY_PATH is not set                                                                                                                                                                      
# CONFIG_INTEL_TXT is not set                                                                                                                                                                          
# CONFIG_SECURITY_SELINUX is not set                                                                                                                                                                   
# CONFIG_SECURITY_SMACK is not set                                                                                                                                                                     
# CONFIG_SECURITY_TOMOYO is not set                                                                                                                                                                    
# CONFIG_SECURITY_APPARMOR is not set                                                                                                                                                                  
# CONFIG_INTEGRITY is not set                                                                                                                                                                          
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=""
CONFIG_XOR_BLOCKS=y
CONFIG_ASYNC_CORE=y
CONFIG_ASYNC_MEMCPY=y
CONFIG_ASYNC_XOR=y
CONFIG_ASYNC_PQ=y
CONFIG_ASYNC_RAID6_RECOV=y
CONFIG_CRYPTO=y  
It seems like Mr. Janyst thought his patch worked. Maybe it was for older version of sbcl, but it did not work for me. Are any of you running sbcl on kernels hardened with grsecurity? It's my first time trying to harden a kernel, and so perhaps I should try selinux or apparmor instead of grsecurity. Any advise about the best way to get a hunchentoot hardened enough to be opened up to the www is appreciated. Thanks.

pjstirling
Posts: 166
Joined: Sun Nov 28, 2010 4:21 pm

Re: can sbcl run on a grsecurity hardened kernel?

Post by pjstirling » Tue Aug 09, 2016 1:54 pm

sbcl won't run with ASLR.

Is there a big problem in running behind a reverse proxy?

I did it that way rather than try and get sbcl to try and do the dance required to bind port 443 without running all the time as root (which is obviously a really dumb idea with an interactive code-generation capable process)

Lispeth
Posts: 25
Joined: Wed May 13, 2015 8:33 am

Re: can sbcl run on a grsecurity hardened kernel?

Post by Lispeth » Mon Aug 22, 2016 10:05 am

pjstirling wrote:sbcl won't run with ASLR.
That makes SBCL a bad choice for server applications. Is there a way to circumvent this? Is a patch upcoming?

pjstirling
Posts: 166
Joined: Sun Nov 28, 2010 4:21 pm

Re: can sbcl run on a grsecurity hardened kernel?

Post by pjstirling » Tue Aug 23, 2016 8:53 am

I realise that it doesn't sound great, but buffer-overruns are impossible outside code that is compiled with (DECLARE (OPTIMIZE (SAFETY 0)) which should be the exception, and such code is usually vetted rather more carefully than "normal" code.

Post Reply