KASLR support
With kernel address space layout randomization (KASLR), the kernel is loaded to a random location in memory.
Loading the kernel to a random location can protect against attacks that rely on knowledge of the kernel addresses.
The KASLR feature is enabled by default. You can use the nokaslr kernel parameter to disable it, see nokaslr - Disable kernel randomization.
When KASLR is enabled, and the kernel is loaded to a random address, the kernel syslog can reveal kernel internal addresses. Therefore, you must prevent access to the syslog for unprivileged users by setting the dmesg_restrict sysctl to 1. This setting restricts access to users with CAP_SYSLOG privilege.
Kernel addresses can also be compromised through /proc and other interfaces. To prevent this, set the kptr_restrict sysctl to 1.
For more information about the dmesg_restrict and kptr_restrict sysctls, see the Documentation/sysctl/kernel.txt in the kernel source tree.