Hi,
On Wed, Jan 18, 2017 at 05:29:06PM -0800, Laura Abbott wrote:
>
> Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel
> option provides key security features that are to be expected on a
> modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which
> more accurately describes what this option is intended to do.
This looks good; my naming comments from the DEBUG_RODATA also apply
here -- the proposed name is fine.
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 06fed56..2fe0e98 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -12,6 +12,7 @@ config ARM64
> select ARCH_HAS_GCOV_PROFILE_ALL
> select ARCH_HAS_GIGANTIC_PAGE
> select ARCH_HAS_HARDENED_MAPPINGS
> + select ARCH_HAS_HARDENED_MODULE_MAPPINGS
> select ARCH_HAS_KCOV
> select ARCH_HAS_SG_CHAIN
> select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index a26d27f..1eebe1f 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -71,17 +71,6 @@ config DEBUG_WX
>
> If in doubt, say "Y".
>
> -config DEBUG_SET_MODULE_RONX
> - bool "Set loadable kernel module data as NX and text as RO"
> - depends on MODULES
> - default y
> - help
> - Is this is set, kernel module text and rodata will be made read-only.
> - This is to help catch accidental or malicious attempts to change the
> - kernel's executable code.
> -
> - If in doubt, say Y.
> -
> +config ARCH_HAS_HARDENED_MODULE_MAPPINGS
> + def_bool n
> +
> +config HARDENED_MODULE_MAPPINGS
> + bool "Mark module mappings with stricter permissions (RO/W^X)"
> + default y
> + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
> + help
> + If this is set, module text and rodata memory will be made read-only,
> + and non-text memory will be made non-executable. This provides
> + protection against certain security vulnerabilities (e.g. modifying
> + code)
> +
> + Unless your system has known restrictions or performance issues, it
> + is recommended to say Y here.
> +
I was hoping that we'd make this mandatory, as we'd already done for
DEBUG_RODATA.
Takahiro-san did a bit of work towards that in commit 39290b389ea2654f
("module: extend 'rodata=off' boot cmdline parameter to module
mappings").
It would be good to know if there's any reason we can't do that.
Otherwise, this looks fine.
Thanks,
Mark.
--
To unsubscribe from this list: send the line "unsubscribe linux-parisc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
