From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Date: Thu, 19 Jan 2017 12:34:06 +0100 From: Heiko Carstens References: <1484789346-21012-1-git-send-email-labbott@redhat.com> <1484789346-21012-3-git-send-email-labbott@redhat.com> <20170119111117.GB11176@leverpostej> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170119111117.GB11176@leverpostej> Message-Id: <20170119113406.GC5110@osiris> Subject: [kernel-hardening] Re: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX To: Mark Rutland Cc: Laura Abbott , Kees Cook , Jason Wessel , Jonathan Corbet , Russell King , Catalin Marinas , Will Deacon , "James E.J. Bottomley" , Helge Deller , Martin Schwidefsky , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Rob Herring , "Rafael J. Wysocki" , Len Brown , Pavel Machek , Jessica Yu , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-parisc@vger.kernel.org, linux-s390@vger.kernel.org, linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com, "AKASHI, Takahiro" List-ID: On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote: > > +config HARDENED_MODULE_MAPPINGS > > + bool "Mark module mappings with stricter permissions (RO/W^X)" > > + default y > > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > + help > > + If this is set, module text and rodata memory will be made read-only, > > + and non-text memory will be made non-executable. This provides > > + protection against certain security vulnerabilities (e.g. modifying > > + code) > > + > > + Unless your system has known restrictions or performance issues, it > > + is recommended to say Y here. > > + > > I was hoping that we'd make this mandatory, as we'd already done for > DEBUG_RODATA. Same for s390: would be good to make this mandatory. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heiko Carstens Subject: Re: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX Date: Thu, 19 Jan 2017 12:34:06 +0100 Message-ID: <20170119113406.GC5110@osiris> References: <1484789346-21012-1-git-send-email-labbott@redhat.com> <1484789346-21012-3-git-send-email-labbott@redhat.com> <20170119111117.GB11176@leverpostej> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: linux-doc@vger.kernel.org, Catalin Marinas , Will Deacon , "James E.J. Bottomley" , Pavel Machek , "H. Peter Anvin" , kernel-hardening@lists.openwall.com, Rob Herring , Jessica Yu , Jonathan Corbet , Helge Deller , x86@kernel.org, Russell King , "AKASHI, Takahiro" , Ingo Molnar , Laura Abbott , Len Brown , Kees Cook , linux-s390@vger.kernel.org, Thomas Gleixner , linux-arm-kernel@lists.infradead.org, linux-parisc@vger.kernel.org, linux-pm@vger.kernel.org, "Rafael J. Wysocki" , linux-kernel@vger.kernel.org, Jason Wessel Return-path: In-Reply-To: <20170119111117.GB11176@leverpostej> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=m.gmane.org@lists.infradead.org On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote: > > +config HARDENED_MODULE_MAPPINGS > > + bool "Mark module mappings with stricter permissions (RO/W^X)" > > + default y > > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > + help > > + If this is set, module text and rodata memory will be made read-only, > > + and non-text memory will be made non-executable. This provides > > + protection against certain security vulnerabilities (e.g. modifying > > + code) > > + > > + Unless your system has known restrictions or performance issues, it > > + is recommended to say Y here. > > + > > I was hoping that we'd make this mandatory, as we'd already done for > DEBUG_RODATA. Same for s390: would be good to make this mandatory. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Heiko Carstens Subject: Re: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX Date: Thu, 19 Jan 2017 12:34:06 +0100 Message-ID: <20170119113406.GC5110@osiris> References: <1484789346-21012-1-git-send-email-labbott@redhat.com> <1484789346-21012-3-git-send-email-labbott@redhat.com> <20170119111117.GB11176@leverpostej> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20170119111117.GB11176@leverpostej> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=m.gmane.org@lists.infradead.org To: Mark Rutland Cc: linux-doc@vger.kernel.org, Catalin Marinas , Will Deacon , "James E.J. Bottomley" , Pavel Machek , "H. Peter Anvin" , kernel-hardening@lists.openwall.com, Rob Herring , Jessica Yu , Jonathan Corbet , Helge Deller , x86@kernel.org, Russell King , "AKASHI, Takahiro" , Ingo Molnar , Laura Abbott , Len Brown , Kees Cook , linux-s390@vger.kernel.org, Thomas Gleixner , linux-arm-kernel@lists.infradead.org, linux-parisc@vger.kernel.org, linux-pm@vger.kernel.org, "Rafael J. Wysocki" , linux-kernel@vger.kernel.org, Jason Wessel List-Id: linux-pm@vger.kernel.org On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote: > > +config HARDENED_MODULE_MAPPINGS > > + bool "Mark module mappings with stricter permissions (RO/W^X)" > > + default y > > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > + help > > + If this is set, module text and rodata memory will be made read-only, > > + and non-text memory will be made non-executable. This provides > > + protection against certain security vulnerabilities (e.g. modifying > > + code) > > + > > + Unless your system has known restrictions or performance issues, it > > + is recommended to say Y here. > > + > > I was hoping that we'd make this mandatory, as we'd already done for > DEBUG_RODATA. Same for s390: would be good to make this mandatory. From mboxrd@z Thu Jan 1 00:00:00 1970 From: heiko.carstens@de.ibm.com (Heiko Carstens) Date: Thu, 19 Jan 2017 12:34:06 +0100 Subject: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX In-Reply-To: <20170119111117.GB11176@leverpostej> References: <1484789346-21012-1-git-send-email-labbott@redhat.com> <1484789346-21012-3-git-send-email-labbott@redhat.com> <20170119111117.GB11176@leverpostej> Message-ID: <20170119113406.GC5110@osiris> To: linux-arm-kernel@lists.infradead.org List-Id: linux-arm-kernel.lists.infradead.org On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote: > > +config HARDENED_MODULE_MAPPINGS > > + bool "Mark module mappings with stricter permissions (RO/W^X)" > > + default y > > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > + help > > + If this is set, module text and rodata memory will be made read-only, > > + and non-text memory will be made non-executable. This provides > > + protection against certain security vulnerabilities (e.g. modifying > > + code) > > + > > + Unless your system has known restrictions or performance issues, it > > + is recommended to say Y here. > > + > > I was hoping that we'd make this mandatory, as we'd already done for > DEBUG_RODATA. Same for s390: would be good to make this mandatory. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752293AbdASLeb (ORCPT ); Thu, 19 Jan 2017 06:34:31 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:57281 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752261AbdASLe1 (ORCPT ); Thu, 19 Jan 2017 06:34:27 -0500 Date: Thu, 19 Jan 2017 12:34:06 +0100 From: Heiko Carstens To: Mark Rutland Cc: Laura Abbott , Kees Cook , Jason Wessel , Jonathan Corbet , Russell King , Catalin Marinas , Will Deacon , "James E.J. Bottomley" , Helge Deller , Martin Schwidefsky , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Rob Herring , "Rafael J. Wysocki" , Len Brown , Pavel Machek , Jessica Yu , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-parisc@vger.kernel.org, linux-s390@vger.kernel.org, linux-pm@vger.kernel.org, kernel-hardening@lists.openwall.com, "AKASHI, Takahiro" Subject: Re: [PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX References: <1484789346-21012-1-git-send-email-labbott@redhat.com> <1484789346-21012-3-git-send-email-labbott@redhat.com> <20170119111117.GB11176@leverpostej> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170119111117.GB11176@leverpostej> User-Agent: Mutt/1.5.21 (2010-09-15) X-TM-AS-GCONF: 00 X-Content-Scanned: Fidelis XPS MAILER x-cbid: 17011911-0008-0000-0000-000003D5C3D0 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 17011911-0009-0000-0000-00001C27887D Message-Id: <20170119113406.GC5110@osiris> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-01-19_03:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1612050000 definitions=main-1701190160 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote: > > +config HARDENED_MODULE_MAPPINGS > > + bool "Mark module mappings with stricter permissions (RO/W^X)" > > + default y > > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > + help > > + If this is set, module text and rodata memory will be made read-only, > > + and non-text memory will be made non-executable. This provides > > + protection against certain security vulnerabilities (e.g. modifying > > + code) > > + > > + Unless your system has known restrictions or performance issues, it > > + is recommended to say Y here. > > + > > I was hoping that we'd make this mandatory, as we'd already done for > DEBUG_RODATA. Same for s390: would be good to make this mandatory.