From: Kees Cook <kees@kernel.org>
To: Mel Gorman <mgorman@techsingularity.net>
Cc: Daniel Micay <danielmicay@gmail.com>,
Paul Moore <paul@paul-moore.com>,
linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/4] mm: security: Allow default HARDENED_USERCOPY to be set at compile time
Date: Wed, 22 Jan 2025 16:57:37 -0800 [thread overview]
Message-ID: <202501221651.3F5A6ACD@keescook> (raw)
In-Reply-To: <20250122171925.25472-3-mgorman@techsingularity.net>
On Wed, Jan 22, 2025 at 05:19:23PM +0000, Mel Gorman wrote:
> HARDENED_USERCOPY defaults to on if enabled at compile time. Allow
> hardened_usercopy= default to be set at compile time similar to
> init_on_alloc= and init_on_free=. The intent is that hardening
> options that can be disabled at runtime can set their default at
> build time.
>
> Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
> ---
> Documentation/admin-guide/kernel-parameters.txt | 4 +++-
> mm/usercopy.c | 3 ++-
> security/Kconfig.hardening | 8 ++++++++
> 3 files changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index 3872bc6ec49d..5d759b20540a 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -1773,7 +1773,9 @@
> allocation boundaries as a proactive defense
> against bounds-checking flaws in the kernel's
> copy_to_user()/copy_from_user() interface.
> - on Perform hardened usercopy checks (default).
> + The default is determined by
> + CONFIG_HARDENED_USERCOPY_DEFAULT_ON.
> + on Perform hardened usercopy checks.
> off Disable hardened usercopy checks.
>
> hardlockup_all_cpu_backtrace=
> diff --git a/mm/usercopy.c b/mm/usercopy.c
> index 83c164aba6e0..4cf33305347a 100644
> --- a/mm/usercopy.c
> +++ b/mm/usercopy.c
> @@ -255,7 +255,8 @@ void __check_object_size(const void *ptr, unsigned long n, bool to_user)
> }
> EXPORT_SYMBOL(__check_object_size);
>
> -static bool enable_checks __initdata = true;
> +static bool enable_checks __initdata =
> + IS_ENABLED(CONFIG_HARDENED_USERCOPY_DEFAULT_ON);
>
> static int __init parse_hardened_usercopy(char *str)
> {
> diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
> index 9088d613d519..adcc260839c7 100644
> --- a/security/Kconfig.hardening
> +++ b/security/Kconfig.hardening
> @@ -293,6 +293,14 @@ config HARDENED_USERCOPY
> or are part of the kernel text. This prevents entire classes
> of heap overflow exploits and similar kernel memory exposures.
>
> +config HARDENED_USERCOPY_DEFAULT_ON
> + bool "Harden memory copies by default"
> + depends on HARDENED_USERCOPY
> + default n
This must be "default HARDENED_USERCOPY" or existing distro builds will
break. All major distros enable this by default, and I don't want to
risk HARDENED_USERCOPY_DEFAULT_ON getting missed and getting globally
disabled.
> + help
> + This has the effect of setting "hardened_usercopy=on" on the kernel
> + command line. This can be disabled with "hardened_usercopy=off".
> +
> endmenu
>
> menu "Hardening of kernel data structures"
-Kees
--
Kees Cook
next prev parent reply other threads:[~2025-01-23 0:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-22 17:19 [PATCH v2 0/4] Allow default HARDENED_USERCOPY to be set at compile time Mel Gorman
2025-01-22 17:19 ` [PATCH 1/4] mm: security: Move hardened usercopy under 'Kernel hardening options' Mel Gorman
2025-01-22 17:19 ` [PATCH 2/4] mm: security: Allow default HARDENED_USERCOPY to be set at compile time Mel Gorman
2025-01-23 0:57 ` Kees Cook [this message]
2025-01-23 11:37 ` Mel Gorman
2025-01-23 21:10 ` David Laight
2025-01-22 17:19 ` [PATCH 3/4] mm: security: Check early if HARDENED_USERCOPY is enabled Mel Gorman
2025-01-23 1:01 ` Kees Cook
2025-01-23 11:47 ` Mel Gorman
2025-01-22 17:19 ` [PATCH 4/4] fortify: Move FORTIFY_SOURCE under 'Kernel hardening options' Mel Gorman
2025-01-22 21:42 ` Paul Moore
2025-01-23 1:02 ` [PATCH v2 0/4] Allow default HARDENED_USERCOPY to be set at compile time Kees Cook
2025-01-23 11:49 ` Mel Gorman
-- strict thread matches above, loose matches on Subject: below --
2025-01-23 22:11 [PATCH v3 " Mel Gorman
2025-01-23 22:11 ` [PATCH 2/4] mm: security: " Mel Gorman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202501221651.3F5A6ACD@keescook \
--to=kees@kernel.org \
--cc=danielmicay@gmail.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mgorman@techsingularity.net \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox