From: tycho@docker.com (Tycho Andersen)
To: linux-security-module@vger.kernel.org
Subject: [PATCH] security/Kconfig: further restrict HARDENED_USERCOPY
Date: Thu, 9 Mar 2017 09:29:21 -0800 [thread overview]
Message-ID: <1489080561-30786-1-git-send-email-tycho@docker.com> (raw)
It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory.
v2: add !MMU depend as well
Signed-off-by: Tycho Andersen <tycho@docker.com>
CC: Kees Cook <keescook@chromium.org>
CC: "Serge E. Hallyn" <serge@hallyn.com>
CC: James Morris <james.l.morris@oracle.com>
---
security/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..aeabd40 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -142,6 +142,8 @@ config HARDENED_USERCOPY
bool "Harden memory copies between kernel and userspace"
depends on HAVE_ARCH_HARDENED_USERCOPY
depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
+ depends on !DEVKMEM
+ depends on !ARCH_HAS_DEVMEM_IS_ALLOWED || STRICT_DEVMEM || !MMU
select BUG
help
This option checks for obviously wrong memory regions when
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Tycho Andersen <tycho@docker.com>
To: Kees Cook <keescook@chromium.org>,
James Morris <james.l.morris@oracle.com>
Cc: linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, Tycho Andersen <tycho@docker.com>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: [PATCH] security/Kconfig: further restrict HARDENED_USERCOPY
Date: Thu, 9 Mar 2017 09:29:21 -0800 [thread overview]
Message-ID: <1489080561-30786-1-git-send-email-tycho@docker.com> (raw)
It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory.
v2: add !MMU depend as well
Signed-off-by: Tycho Andersen <tycho@docker.com>
CC: Kees Cook <keescook@chromium.org>
CC: "Serge E. Hallyn" <serge@hallyn.com>
CC: James Morris <james.l.morris@oracle.com>
---
security/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..aeabd40 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -142,6 +142,8 @@ config HARDENED_USERCOPY
bool "Harden memory copies between kernel and userspace"
depends on HAVE_ARCH_HARDENED_USERCOPY
depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
+ depends on !DEVKMEM
+ depends on !ARCH_HAS_DEVMEM_IS_ALLOWED || STRICT_DEVMEM || !MMU
select BUG
help
This option checks for obviously wrong memory regions when
--
2.7.4
next reply other threads:[~2017-03-09 17:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-09 17:29 Tycho Andersen [this message]
2017-03-09 17:29 ` [PATCH] security/Kconfig: further restrict HARDENED_USERCOPY Tycho Andersen
2017-03-09 19:18 ` Kees Cook
2017-03-09 19:18 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1489080561-30786-1-git-send-email-tycho@docker.com \
--to=tycho@docker.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.