[PATCH] security/Kconfig: further restrict HARDENED_USERCOPY

Tycho Andersen Thu, 09 Mar 2017 09:32:26 -0800

It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory.


v2: add !MMU depend as well

Signed-off-by: Tycho Andersen <ty...@docker.com>
CC: Kees Cook <keesc...@chromium.org>
CC: "Serge E. Hallyn" <se...@hallyn.com>
CC: James Morris <james.l.mor...@oracle.com>
---
 security/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..aeabd40 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -142,6 +142,8 @@ config HARDENED_USERCOPY
        bool "Harden memory copies between kernel and userspace"
        depends on HAVE_ARCH_HARDENED_USERCOPY
        depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
+       depends on !DEVKMEM
+       depends on !ARCH_HAS_DEVMEM_IS_ALLOWED || STRICT_DEVMEM || !MMU
        select BUG
        help
          This option checks for obviously wrong memory regions when
-- 
2.7.4

[PATCH] security/Kconfig: further restrict HARDENED_USERCOPY

Reply via email to