diff options
| author | Laura Abbott | 2017-02-07 01:31:57 +0100 |
|---|---|---|
| committer | Kees Cook | 2017-02-07 21:32:52 +0100 |
| commit | ad21fc4faa2a1f919bac1073b885df9310dbc581 (patch) | |
| tree | 0e72a0b209f7e84daf6a131bdbc673cd60715037 /arch/Kconfig | |
| parent | Linux 4.10-rc2 (diff) | |
| download | kernel-qcow2-linux-ad21fc4faa2a1f919bac1073b885df9310dbc581.tar.gz kernel-qcow2-linux-ad21fc4faa2a1f919bac1073b885df9310dbc581.tar.xz kernel-qcow2-linux-ad21fc4faa2a1f919bac1073b885df9310dbc581.zip | |
arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common
There are multiple architectures that support CONFIG_DEBUG_RODATA and
CONFIG_SET_MODULE_RONX. These options also now have the ability to be
turned off at runtime. Move these to an architecture independent
location and make these options def_bool y for almost all of those
arches.
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'arch/Kconfig')
| -rw-r--r-- | arch/Kconfig | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/arch/Kconfig b/arch/Kconfig index 99839c23d453..3f8b8be3036f 100644 --- a/arch/Kconfig +++ b/arch/Kconfig @@ -781,4 +781,38 @@ config VMAP_STACK the stack to map directly to the KASAN shadow map using a formula that is incorrect if the stack is in vmalloc space. +config ARCH_OPTIONAL_KERNEL_RWX + def_bool n + +config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT + def_bool n + +config ARCH_HAS_STRICT_KERNEL_RWX + def_bool n + +config DEBUG_RODATA + bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX + depends on ARCH_HAS_STRICT_KERNEL_RWX + default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT + help + If this is set, kernel text and rodata memory will be made read-only, + and non-text memory will be made non-executable. This provides + protection against certain security exploits (e.g. executing the heap + or modifying text) + + These features are considered standard security practice these days. + You should say Y here in almost all cases. + +config ARCH_HAS_STRICT_MODULE_RWX + def_bool n + +config DEBUG_SET_MODULE_RONX + bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX + depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES + default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT + help + If this is set, module text and rodata memory will be made read-only, + and non-text memory will be made non-executable. This provides + protection against certain security exploits (e.g. writing to text) + source "kernel/gcov/Kconfig" |