summaryrefslogtreecommitdiff
path: root/libre/linux-libre-grsec/sysctl.conf
diff options
context:
space:
mode:
authorLuke Shumaker <LukeShu@sbcglobal.net>2014-05-27 17:24:17 -0400
committerLuke Shumaker <LukeShu@sbcglobal.net>2014-05-27 17:24:17 -0400
commitffd63534f7349a8bf48e34eb734fbfa017cec2bb (patch)
tree700b868c76c4a1f2a0a614658e376ed21da94c0c /libre/linux-libre-grsec/sysctl.conf
parentcb48db3153ace8969e61946774dea0ec805bc231 (diff)
parent54bc28a3f089c40cd079112766ba3a750283b601 (diff)
Merge branch 'master' of git://projects.parabolagnulinux.org/abslibre
Diffstat (limited to 'libre/linux-libre-grsec/sysctl.conf')
-rw-r--r--libre/linux-libre-grsec/sysctl.conf14
1 files changed, 8 insertions, 6 deletions
diff --git a/libre/linux-libre-grsec/sysctl.conf b/libre/linux-libre-grsec/sysctl.conf
index a1af2c48e..bef8e350d 100644
--- a/libre/linux-libre-grsec/sysctl.conf
+++ b/libre/linux-libre-grsec/sysctl.conf
@@ -1,11 +1,13 @@
-# All features in the kernel.grsecurity namespace are disabled by default.
+# All features in the kernel.grsecurity namespace are disabled by default in
+# the kernel and must be enabled here.
#
-# Disable PaX enforcement by default, due to lacking integration with packages.
+# Disable PaX enforcement by default.
#
-# This is considered a major flaw in this package and will be corrected in the
-# future. Many binaries need to be flagged as requiring an exception from the
-# PaX rules.
+# The `paxd` package sets softmode back to 0 in a configuration file loaded
+# after this one. It automatically handles setting exceptions from the PaX
+# exploit mitigations after Pacman operations. Altering the setting here rather
+# than using `paxd` is not recommended.
#
kernel.pax.softmode = 1
@@ -77,7 +79,7 @@ kernel.grsecurity.audit_gid = 201
#kernel.grsecurity.signal_logging = 1
#kernel.grsecurity.forkfail_logging = 1
#kernel.grsecurity.timechange_logging = 1
-#kernel.grsecurity.rwxmap_logging = 1
+kernel.grsecurity.rwxmap_logging = 1
#
# Executable protections