From: Mark Rutland <mark.rutland@arm.com>
To: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Jason Wessel <jason.wessel@windriver.com>,
Jonathan Corbet <corbet@lwn.net>,
Russell King <linux@armlinux.org.uk>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will.deacon@arm.com>,
"James E.J. Bottomley" <jejb@parisc-linux.org>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Heiko Carstens <heiko.carstens@de.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, "H. Peter Anvin" <hpa@zytor.com>,
x86@kernel.org, Rob Herring <robh@kernel.org>,
"Rafael J. Wysocki" <rjw@rjwysocki.net>,
Len Brown <len.brown@intel.com>, Pavel Machek <pavel@ucw.cz>,
Jessica Yu <jeyu@redhat.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-parisc@vger.kernel.org, linux-s390@vger.kernel.org,
linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX
Date: Thu, 19 Jan 2017 11:11:18 +0000 [thread overview]
Message-ID: <20170119111117.GB11176@leverpostej> (raw)
In-Reply-To: <1484789346-21012-3-git-send-email-labbott@redhat.com>
Hi,
On Wed, Jan 18, 2017 at 05:29:06PM -0800, Laura Abbott wrote:
>
> Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel
> option provides key security features that are to be expected on a
> modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which
> more accurately describes what this option is intended to do.
This looks good; my naming comments from the DEBUG_RODATA also apply
here -- the proposed name is fine.
> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
> index 06fed56..2fe0e98 100644
> --- a/arch/arm64/Kconfig
> +++ b/arch/arm64/Kconfig
> @@ -12,6 +12,7 @@ config ARM64
> select ARCH_HAS_GCOV_PROFILE_ALL
> select ARCH_HAS_GIGANTIC_PAGE
> select ARCH_HAS_HARDENED_MAPPINGS
> + select ARCH_HAS_HARDENED_MODULE_MAPPINGS
> select ARCH_HAS_KCOV
> select ARCH_HAS_SG_CHAIN
> select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index a26d27f..1eebe1f 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -71,17 +71,6 @@ config DEBUG_WX
>
> If in doubt, say "Y".
>
> -config DEBUG_SET_MODULE_RONX
> - bool "Set loadable kernel module data as NX and text as RO"
> - depends on MODULES
> - default y
> - help
> - Is this is set, kernel module text and rodata will be made read-only.
> - This is to help catch accidental or malicious attempts to change the
> - kernel's executable code.
> -
> - If in doubt, say Y.
> -
> +config ARCH_HAS_HARDENED_MODULE_MAPPINGS
> + def_bool n
> +
> +config HARDENED_MODULE_MAPPINGS
> + bool "Mark module mappings with stricter permissions (RO/W^X)"
> + default y
> + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
> + help
> + If this is set, module text and rodata memory will be made read-only,
> + and non-text memory will be made non-executable. This provides
> + protection against certain security vulnerabilities (e.g. modifying
> + code)
> +
> + Unless your system has known restrictions or performance issues, it
> + is recommended to say Y here.
> +
I was hoping that we'd make this mandatory, as we'd already done for
DEBUG_RODATA.
Takahiro-san did a bit of work towards that in commit 39290b389ea2654f
("module: extend 'rodata=off' boot cmdline parameter to module
mappings").
It would be good to know if there's any reason we can't do that.
Otherwise, this looks fine.
Thanks,
Mark.
next prev parent reply other threads:[~2017-01-19 11:12 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-19 1:29 [RFC][PATCH 0/2] Better hardening names Laura Abbott
2017-01-19 1:29 ` [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA Laura Abbott
2017-01-19 7:53 ` Pavel Machek
2017-01-25 11:21 ` Laura Abbott
2017-01-25 13:51 ` Pavel Machek
2017-01-19 10:56 ` Mark Rutland
2017-01-19 11:33 ` Heiko Carstens
2017-01-19 21:17 ` Helge Deller
2017-01-25 11:37 ` Laura Abbott
2017-01-19 22:00 ` Kees Cook
2017-01-25 11:25 ` Laura Abbott
2017-01-19 21:57 ` Kees Cook
2017-01-19 1:29 ` [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX Laura Abbott
2017-01-19 11:11 ` Mark Rutland [this message]
2017-01-19 11:34 ` Heiko Carstens
2017-01-19 11:43 ` Robin Murphy
2017-01-25 11:44 ` Laura Abbott
2017-01-20 5:46 ` kbuild test robot
2017-01-19 22:08 ` [RFC][PATCH 0/2] Better hardening names Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170119111117.GB11176@leverpostej \
--to=mark.rutland@arm.com \
--cc=catalin.marinas@arm.com \
--cc=corbet@lwn.net \
--cc=deller@gmx.de \
--cc=heiko.carstens@de.ibm.com \
--cc=hpa@zytor.com \
--cc=jason.wessel@windriver.com \
--cc=jejb@parisc-linux.org \
--cc=jeyu@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=len.brown@intel.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=mingo@redhat.com \
--cc=pavel@ucw.cz \
--cc=rjw@rjwysocki.net \
--cc=robh@kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=takahiro.akashi@linaro.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).