summaryrefslogtreecommitdiffstats
path: root/arch/Kconfig
diff options
context:
space:
mode:
authorLaura Abbott <labbott@redhat.com>2017-02-07 01:31:57 +0100
committerKees Cook <keescook@chromium.org>2017-02-07 21:32:52 +0100
commitad21fc4faa2a1f919bac1073b885df9310dbc581 (patch)
tree0e72a0b209f7e84daf6a131bdbc673cd60715037 /arch/Kconfig
parentLinux 4.10-rc2 (diff)
downloadlinux-ad21fc4faa2a1f919bac1073b885df9310dbc581.tar.xz
linux-ad21fc4faa2a1f919bac1073b885df9310dbc581.zip
arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common
There are multiple architectures that support CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX. These options also now have the ability to be turned off at runtime. Move these to an architecture independent location and make these options def_bool y for almost all of those arches. Signed-off-by: Laura Abbott <labbott@redhat.com> Acked-by: Ingo Molnar <mingo@kernel.org> Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'arch/Kconfig')
-rw-r--r--arch/Kconfig34
1 files changed, 34 insertions, 0 deletions
diff --git a/arch/Kconfig b/arch/Kconfig
index 99839c23d453..3f8b8be3036f 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -781,4 +781,38 @@ config VMAP_STACK
the stack to map directly to the KASAN shadow map using a formula
that is incorrect if the stack is in vmalloc space.
+config ARCH_OPTIONAL_KERNEL_RWX
+ def_bool n
+
+config ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
+ def_bool n
+
+config ARCH_HAS_STRICT_KERNEL_RWX
+ def_bool n
+
+config DEBUG_RODATA
+ bool "Make kernel text and rodata read-only" if ARCH_OPTIONAL_KERNEL_RWX
+ depends on ARCH_HAS_STRICT_KERNEL_RWX
+ default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
+ help
+ If this is set, kernel text and rodata memory will be made read-only,
+ and non-text memory will be made non-executable. This provides
+ protection against certain security exploits (e.g. executing the heap
+ or modifying text)
+
+ These features are considered standard security practice these days.
+ You should say Y here in almost all cases.
+
+config ARCH_HAS_STRICT_MODULE_RWX
+ def_bool n
+
+config DEBUG_SET_MODULE_RONX
+ bool "Set loadable kernel module data as NX and text as RO" if ARCH_OPTIONAL_KERNEL_RWX
+ depends on ARCH_HAS_STRICT_MODULE_RWX && MODULES
+ default !ARCH_OPTIONAL_KERNEL_RWX || ARCH_OPTIONAL_KERNEL_RWX_DEFAULT
+ help
+ If this is set, module text and rodata memory will be made read-only,
+ and non-text memory will be made non-executable. This provides
+ protection against certain security exploits (e.g. writing to text)
+
source "kernel/gcov/Kconfig"