Hi Laura, On 19/01/17 01:29, Laura Abbott wrote: > > Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel > option provides key security features that are to be expected on a > modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which > more accurately describes what this option is intended to do. > > Signed-off-by: Laura Abbott <labb...@redhat.com> > ---
[...] > diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig > index 09aff28..ef852e4 100644 > --- a/arch/arm/Kconfig > +++ b/arch/arm/Kconfig > @@ -8,6 +8,7 @@ config ARM > select ARCH_HAVE_CUSTOM_GPIO_H > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU > select ARCH_MIGHT_HAVE_PC_PARPORT > select ARCH_SUPPORTS_ATOMIC_RMW > select ARCH_USE_BUILTIN_BSWAP > diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug > index d83f7c3..426d271 100644 > --- a/arch/arm/Kconfig.debug > +++ b/arch/arm/Kconfig.debug > @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR > additional instructions during context switch. Say Y here only if you > are planning to use hardware trace tools with this kernel. > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES && MMU > - ---help--- > - This option helps catch unintended modifications to loadable > - kernel module's text and read-only data. It also prevents execution > - of module data. Such protection may interfere with run-time code > - patching and dynamic kernel tracing - and they might also protect > - against certain classes of kernel exploits. > - If in doubt, say "N". > - > source "drivers/hwtracing/coresight/Kconfig" > > endmenu [...] > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -12,6 +12,7 @@ config ARM64 > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_GIGANTIC_PAGE > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV > select ARCH_HAS_SG_CHAIN > select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST > diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug > index a26d27f..1eebe1f 100644 > --- a/arch/arm64/Kconfig.debug > +++ b/arch/arm64/Kconfig.debug > @@ -71,17 +71,6 @@ config DEBUG_WX > > If in doubt, say "Y". > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES > - default y > - help > - Is this is set, kernel module text and rodata will be made read-only. > - This is to help catch accidental or malicious attempts to change the > - kernel's executable code. > - > - If in doubt, say Y. > - > config DEBUG_ALIGN_RODATA > depends on ARCH_HAS_HARDENED_MAPPINGS > bool "Align linker sections up to SECTION_SIZE" [...] > --- a/arch/s390/Kconfig > +++ b/arch/s390/Kconfig > @@ -69,6 +69,7 @@ config S390 > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_GIGANTIC_PAGE > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV > select ARCH_HAS_SG_CHAIN > select ARCH_HAS_UBSAN_SANITIZE_ALL > diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug > index 26c5d5be..57f8ea9 100644 > --- a/arch/s390/Kconfig.debug > +++ b/arch/s390/Kconfig.debug > @@ -17,7 +17,4 @@ config S390_PTDUMP > kernel. > If in doubt, say "N" > > -config DEBUG_SET_MODULE_RONX > - def_bool y > - depends on MODULES > endmenu > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 9d80cd8..38ce850 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -51,6 +51,7 @@ config X86 > select ARCH_HAS_FAST_MULTIPLIER > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV if X86_64 > select ARCH_HAS_MMIO_FLUSH > select ARCH_HAS_PMEM_API if X86_64 > diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug > index 67eec55..69cdd0b 100644 > --- a/arch/x86/Kconfig.debug > +++ b/arch/x86/Kconfig.debug > @@ -109,17 +109,6 @@ config DEBUG_WX > > If in doubt, say "Y". > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES > - ---help--- > - This option helps catch unintended modifications to loadable > - kernel module's text and read-only data. It also prevents execution > - of module data. Such protection may interfere with run-time code > - patching and dynamic kernel tracing - and they might also protect > - against certain classes of kernel exploits. > - If in doubt, say "N". > - > config DEBUG_NX_TEST > tristate "Testcase for the NX non-executable stack feature" > depends on DEBUG_KERNEL && m [...] > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -174,6 +174,22 @@ config HARDENED_PAGE_MAPPINGS > Unless your system has known restrictions or performance issues, it > is recommended to say Y here. > > +config ARCH_HAS_HARDENED_MODULE_MAPPINGS > + def_bool n > + > +config HARDENED_MODULE_MAPPINGS > + bool "Mark module mappings with stricter permissions (RO/W^X)" > + default y > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS It would seem that this ends up losing the previous dependency on MODULES - is that intentional? Robin. > + help > + If this is set, module text and rodata memory will be made read-only, > + and non-text memory will be made non-executable. This provides > + protection against certain security vulnerabilities (e.g. modifying > + code) > + > + Unless your system has known restrictions or performance issues, it > + is recommended to say Y here. > + > source security/selinux/Kconfig > source security/smack/Kconfig > source security/tomoyo/Kconfig > -- To unsubscribe from this list: send the line "unsubscribe linux-doc" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
