[grsec] Q. 'const'antify the members of a structure

[pageexec at freemail.hu]

On 28 May 2010 at 14:53, J. R. Okajima wrote:

> This is my case.
> I am developing a kernel module which is not merged into mainline (and
> it will not be). Some users use it with the grsec-pached kernel.
> In order to support various filesystems and their options, my module
> allocates struct foo_operations and sets members dynamically. And users
> got the compilation errors.

do you really need to allocate these structures at runtime? if all you need
is to modify existing ops structures then you can temporarily grant yourself
write access by using pax_open_kernel/pax_close_kernel. of course it's PaX
specific, it won't work with DEBUG_RODATA (you can abuse text_poke maybe ;).

> I don't understand why these 'const's enhances the security. But I
> think I can understand your explanation.

(writable) function pointers are the primary targets of memory corruption
based exploits, reducing their numbers reduces the attack surface.