| Message ID | 20250117130337.4716-4-mgorman@techsingularity.net (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | Allow default HARDENED_USERCOPY to be set at compile time | expand |
On Fri, Jan 17, 2025 at 01:03:37PM +0000, Mel Gorman wrote: > FORTIFY_SOURCE is a hardening option both at build and runtime. Move > it under 'Kernel hardening options'. > > Signed-off-by: Mel Gorman <mgorman@techsingularity.net> > --- > security/Kconfig | 9 --------- > security/Kconfig.hardening | 9 +++++++++ > 2 files changed, 9 insertions(+), 9 deletions(-) > > diff --git a/security/Kconfig b/security/Kconfig > index fe7346dc4bc3..bca84f839fbe 100644 > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -159,15 +159,6 @@ config LSM_MMAP_MIN_ADDR > this low address space will need the permission specific to the > systems running LSM. > > -config FORTIFY_SOURCE > - bool "Harden common str/mem functions against buffer overflows" > - depends on ARCH_HAS_FORTIFY_SOURCE > - # https://github.com/llvm/llvm-project/issues/53645 > - depends on !CC_IS_CLANG || !X86_32 > - help > - Detect overflows of buffers in common string and memory functions > - where the compiler can determine and validate the buffer sizes. > - > config STATIC_USERMODEHELPER > bool "Force all usermode helper calls through a single binary" > help > diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening > index 537a6431892e..8d005fe154ef 100644 > --- a/security/Kconfig.hardening > +++ b/security/Kconfig.hardening > @@ -301,6 +301,15 @@ config HARDENED_USERCOPY_DEFAULT_ON > This has the effect of setting "hardened_usercopy=on" on the kernel > command line. This can be disabled with "hardened_usercopy=off". > > +config FORTIFY_SOURCE > + bool "Harden common str/mem functions against buffer overflows" > + depends on ARCH_HAS_FORTIFY_SOURCE > + # https://github.com/llvm/llvm-project/issues/53645 > + depends on !CC_IS_CLANG || !X86_32 > + help > + Detect overflows of buffers in common string and memory functions > + where the compiler can determine and validate the buffer sizes. > + > endmenu Please move this before HARDENED_USERCOPY -- it's a more general config and also comes first alphabetically. ;) I would note that the LLVM bug referenced was fixed in Clang 15+, a separate patch (not required by you) should fix that if it the tests actually pass on x86_32 again... > > menu "Hardening of kernel data structures" > -- > 2.43.0 > -Kees
diff --git a/security/Kconfig b/security/Kconfig index fe7346dc4bc3..bca84f839fbe 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -159,15 +159,6 @@ config LSM_MMAP_MIN_ADDR this low address space will need the permission specific to the systems running LSM. -config FORTIFY_SOURCE - bool "Harden common str/mem functions against buffer overflows" - depends on ARCH_HAS_FORTIFY_SOURCE - # https://github.com/llvm/llvm-project/issues/53645 - depends on !CC_IS_CLANG || !X86_32 - help - Detect overflows of buffers in common string and memory functions - where the compiler can determine and validate the buffer sizes. - config STATIC_USERMODEHELPER bool "Force all usermode helper calls through a single binary" help diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening index 537a6431892e..8d005fe154ef 100644 --- a/security/Kconfig.hardening +++ b/security/Kconfig.hardening @@ -301,6 +301,15 @@ config HARDENED_USERCOPY_DEFAULT_ON This has the effect of setting "hardened_usercopy=on" on the kernel command line. This can be disabled with "hardened_usercopy=off". +config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE + # https://github.com/llvm/llvm-project/issues/53645 + depends on !CC_IS_CLANG || !X86_32 + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + endmenu menu "Hardening of kernel data structures"
FORTIFY_SOURCE is a hardening option both at build and runtime. Move it under 'Kernel hardening options'. Signed-off-by: Mel Gorman <mgorman@techsingularity.net> --- security/Kconfig | 9 --------- security/Kconfig.hardening | 9 +++++++++ 2 files changed, 9 insertions(+), 9 deletions(-)