From: Laura Abbott <lauraa@codeaurora.org>
To: linux-arm-kernel@lists.infradead.org,
Russell King <linux@arm.linux.org.uk>
Cc: Will Deacon <will.deacon@arm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Nicoas Pitre <nicolas.pitre@linaro.org>,
linux-arm-msm@vger.kernel.org,
Laura Abbott <lauraa@codeaurora.org>
Subject: [RFC 3/3] arm: add DEBUG_SET_MODULE_RONX option to Kconfig
Date: Wed, 12 Jun 2013 10:23:30 -0700 [thread overview]
Message-ID: <1371057810-3189-4-git-send-email-lauraa@codeaurora.org> (raw)
In-Reply-To: <1371057810-3189-1-git-send-email-lauraa@codeaurora.org>
Now that all the page setting infrastructure is in place,
Add the DEBUG_SET_MODULE_RONX to the ARM debugging Kconfig.
When turned on, data sections for modules will be marked as NX
and read only sections will be marked as such.
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
---
arch/arm/Kconfig.debug | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index 1d41908..12bca63 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -692,4 +692,15 @@ config PID_IN_CONTEXTIDR
additional instructions during context switch. Say Y here only if you
are planning to use hardware trace tools with this kernel.
+config DEBUG_SET_MODULE_RONX
+ bool "Set loadable kernel module data as NX and text as RO"
+ depends on MODULES
+ ---help---
+ This option helps catch unintended modifications to loadable
+ kernel module's text and read-only data. It also prevents execution
+ of module data. Such protection may interfere with run-time code
+ patching and dynamic kernel tracing - and they might also protect
+ against certain classes of kernel exploits.
+ If in doubt, say "N".
+
endmenu
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation
next prev parent reply other threads:[~2013-06-12 17:23 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-12 17:23 [RFC 0/3] Allow CONFIG_DEBUG_SET_MODULE_RONX to be used on ARM Laura Abbott
2013-06-12 17:23 ` Laura Abbott
2013-06-12 17:23 ` [RFC 1/3] arm: Add definitions for pte_mkexec/pte_mknexec Laura Abbott
2013-06-12 17:23 ` [RFC 2/3] arm: mm: Define set_memory_* functions for ARM Laura Abbott
2013-06-12 17:32 ` Russell King - ARM Linux
2013-06-12 17:32 ` Russell King - ARM Linux
2013-06-13 16:25 ` Catalin Marinas
2013-06-13 16:25 ` Catalin Marinas
2013-06-18 11:09 ` Will Deacon
2013-06-18 11:09 ` Will Deacon
2013-06-19 1:48 ` Laura Abbott
2013-06-19 1:48 ` Laura Abbott
2013-06-19 13:59 ` Will Deacon
2013-06-19 13:59 ` Will Deacon
2013-10-25 13:08 ` Will Deacon
2013-10-25 13:08 ` Will Deacon
2013-10-27 10:18 ` Russell King - ARM Linux
2013-10-27 10:18 ` Russell King - ARM Linux
2013-06-12 17:23 ` Laura Abbott [this message]
2013-10-24 13:03 ` [RFC 0/3] Allow CONFIG_DEBUG_SET_MODULE_RONX to be used on ARM Russell King - ARM Linux
2013-10-24 13:03 ` Russell King - ARM Linux
2013-10-27 10:34 ` Russell King - ARM Linux
2013-10-27 10:34 ` Russell King - ARM Linux
2013-10-27 11:57 ` Russell King - ARM Linux
2013-10-27 11:57 ` Russell King - ARM Linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1371057810-3189-4-git-send-email-lauraa@codeaurora.org \
--to=lauraa@codeaurora.org \
--cc=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=nicolas.pitre@linaro.org \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.