From: Mel Gorman <mgorman@techsingularity.net>
To: Kees Cook <kees@kernel.org>
Cc: Daniel Micay <danielmicay@gmail.com>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org,
Mel Gorman <mgorman@techsingularity.net>
Subject: [PATCH 3/3] fortify: Move FORTIFY_SOURCE under 'Kernel hardening options'
Date: Fri, 17 Jan 2025 13:03:37 +0000 [thread overview]
Message-ID: <20250117130337.4716-4-mgorman@techsingularity.net> (raw)
In-Reply-To: <20250117130337.4716-1-mgorman@techsingularity.net>
FORTIFY_SOURCE is a hardening option both at build and runtime. Move
it under 'Kernel hardening options'.
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
---
security/Kconfig | 9 ---------
security/Kconfig.hardening | 9 +++++++++
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/security/Kconfig b/security/Kconfig
index fe7346dc4bc3..bca84f839fbe 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -159,15 +159,6 @@ config LSM_MMAP_MIN_ADDR
this low address space will need the permission specific to the
systems running LSM.
-config FORTIFY_SOURCE
- bool "Harden common str/mem functions against buffer overflows"
- depends on ARCH_HAS_FORTIFY_SOURCE
- # https://github.com/llvm/llvm-project/issues/53645
- depends on !CC_IS_CLANG || !X86_32
- help
- Detect overflows of buffers in common string and memory functions
- where the compiler can determine and validate the buffer sizes.
-
config STATIC_USERMODEHELPER
bool "Force all usermode helper calls through a single binary"
help
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 537a6431892e..8d005fe154ef 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -301,6 +301,15 @@ config HARDENED_USERCOPY_DEFAULT_ON
This has the effect of setting "hardened_usercopy=on" on the kernel
command line. This can be disabled with "hardened_usercopy=off".
+config FORTIFY_SOURCE
+ bool "Harden common str/mem functions against buffer overflows"
+ depends on ARCH_HAS_FORTIFY_SOURCE
+ # https://github.com/llvm/llvm-project/issues/53645
+ depends on !CC_IS_CLANG || !X86_32
+ help
+ Detect overflows of buffers in common string and memory functions
+ where the compiler can determine and validate the buffer sizes.
+
endmenu
menu "Hardening of kernel data structures"
--
2.43.0
next prev parent reply other threads:[~2025-01-17 13:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-17 13:03 [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time Mel Gorman
2025-01-17 13:03 ` [PATCH 1/3] mm: security: Move hardened usercopy under 'Kernel hardening options' Mel Gorman
2025-01-20 21:10 ` Kees Cook
2025-01-21 9:21 ` Mel Gorman
2025-01-20 21:42 ` Paul Moore
2025-01-17 13:03 ` [PATCH 2/3] mm: security: Allow default HARDENED_USERCOPY to be set at compile time Mel Gorman
2025-01-20 21:21 ` Kees Cook
2025-01-21 12:35 ` Mel Gorman
2025-01-17 13:03 ` Mel Gorman [this message]
2025-01-20 21:25 ` [PATCH 3/3] fortify: Move FORTIFY_SOURCE under 'Kernel hardening options' Kees Cook
2025-01-20 21:08 ` [PATCH 0/3] Allow default HARDENED_USERCOPY to be set at compile time Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250117130337.4716-4-mgorman@techsingularity.net \
--to=mgorman@techsingularity.net \
--cc=danielmicay@gmail.com \
--cc=kees@kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.