Message ID | 1484789346-21012-3-git-send-email-labbott@redhat.com (mailing list archive) |
---|---|
State | Not Applicable, archived |
Headers | show |
Hi, On Wed, Jan 18, 2017 at 05:29:06PM -0800, Laura Abbott wrote: > > Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel > option provides key security features that are to be expected on a > modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which > more accurately describes what this option is intended to do. This looks good; my naming comments from the DEBUG_RODATA also apply here -- the proposed name is fine. > diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig > index 06fed56..2fe0e98 100644 > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -12,6 +12,7 @@ config ARM64 > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_GIGANTIC_PAGE > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV > select ARCH_HAS_SG_CHAIN > select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST > diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug > index a26d27f..1eebe1f 100644 > --- a/arch/arm64/Kconfig.debug > +++ b/arch/arm64/Kconfig.debug > @@ -71,17 +71,6 @@ config DEBUG_WX > > If in doubt, say "Y". > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES > - default y > - help > - Is this is set, kernel module text and rodata will be made read-only. > - This is to help catch accidental or malicious attempts to change the > - kernel's executable code. > - > - If in doubt, say Y. > - > +config ARCH_HAS_HARDENED_MODULE_MAPPINGS > + def_bool n > + > +config HARDENED_MODULE_MAPPINGS > + bool "Mark module mappings with stricter permissions (RO/W^X)" > + default y > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > + help > + If this is set, module text and rodata memory will be made read-only, > + and non-text memory will be made non-executable. This provides > + protection against certain security vulnerabilities (e.g. modifying > + code) > + > + Unless your system has known restrictions or performance issues, it > + is recommended to say Y here. > + I was hoping that we'd make this mandatory, as we'd already done for DEBUG_RODATA. Takahiro-san did a bit of work towards that in commit 39290b389ea2654f ("module: extend 'rodata=off' boot cmdline parameter to module mappings"). It would be good to know if there's any reason we can't do that. Otherwise, this looks fine. Thanks, Mark. -- To unsubscribe from this list: send the line "unsubscribe linux-pm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote: > > +config HARDENED_MODULE_MAPPINGS > > + bool "Mark module mappings with stricter permissions (RO/W^X)" > > + default y > > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > + help > > + If this is set, module text and rodata memory will be made read-only, > > + and non-text memory will be made non-executable. This provides > > + protection against certain security vulnerabilities (e.g. modifying > > + code) > > + > > + Unless your system has known restrictions or performance issues, it > > + is recommended to say Y here. > > + > > I was hoping that we'd make this mandatory, as we'd already done for > DEBUG_RODATA. Same for s390: would be good to make this mandatory. -- To unsubscribe from this list: send the line "unsubscribe linux-pm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Laura, On 19/01/17 01:29, Laura Abbott wrote: > > Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel > option provides key security features that are to be expected on a > modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which > more accurately describes what this option is intended to do. > > Signed-off-by: Laura Abbott <labbott@redhat.com> > --- [...] > diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig > index 09aff28..ef852e4 100644 > --- a/arch/arm/Kconfig > +++ b/arch/arm/Kconfig > @@ -8,6 +8,7 @@ config ARM > select ARCH_HAVE_CUSTOM_GPIO_H > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU > select ARCH_MIGHT_HAVE_PC_PARPORT > select ARCH_SUPPORTS_ATOMIC_RMW > select ARCH_USE_BUILTIN_BSWAP > diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug > index d83f7c3..426d271 100644 > --- a/arch/arm/Kconfig.debug > +++ b/arch/arm/Kconfig.debug > @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR > additional instructions during context switch. Say Y here only if you > are planning to use hardware trace tools with this kernel. > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES && MMU > - ---help--- > - This option helps catch unintended modifications to loadable > - kernel module's text and read-only data. It also prevents execution > - of module data. Such protection may interfere with run-time code > - patching and dynamic kernel tracing - and they might also protect > - against certain classes of kernel exploits. > - If in doubt, say "N". > - > source "drivers/hwtracing/coresight/Kconfig" > > endmenu [...] > --- a/arch/arm64/Kconfig > +++ b/arch/arm64/Kconfig > @@ -12,6 +12,7 @@ config ARM64 > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_GIGANTIC_PAGE > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV > select ARCH_HAS_SG_CHAIN > select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST > diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug > index a26d27f..1eebe1f 100644 > --- a/arch/arm64/Kconfig.debug > +++ b/arch/arm64/Kconfig.debug > @@ -71,17 +71,6 @@ config DEBUG_WX > > If in doubt, say "Y". > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES > - default y > - help > - Is this is set, kernel module text and rodata will be made read-only. > - This is to help catch accidental or malicious attempts to change the > - kernel's executable code. > - > - If in doubt, say Y. > - > config DEBUG_ALIGN_RODATA > depends on ARCH_HAS_HARDENED_MAPPINGS > bool "Align linker sections up to SECTION_SIZE" [...] > --- a/arch/s390/Kconfig > +++ b/arch/s390/Kconfig > @@ -69,6 +69,7 @@ config S390 > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_GIGANTIC_PAGE > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV > select ARCH_HAS_SG_CHAIN > select ARCH_HAS_UBSAN_SANITIZE_ALL > diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug > index 26c5d5be..57f8ea9 100644 > --- a/arch/s390/Kconfig.debug > +++ b/arch/s390/Kconfig.debug > @@ -17,7 +17,4 @@ config S390_PTDUMP > kernel. > If in doubt, say "N" > > -config DEBUG_SET_MODULE_RONX > - def_bool y > - depends on MODULES > endmenu > diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig > index 9d80cd8..38ce850 100644 > --- a/arch/x86/Kconfig > +++ b/arch/x86/Kconfig > @@ -51,6 +51,7 @@ config X86 > select ARCH_HAS_FAST_MULTIPLIER > select ARCH_HAS_GCOV_PROFILE_ALL > select ARCH_HAS_HARDENED_MAPPINGS > + select ARCH_HAS_HARDENED_MODULE_MAPPINGS > select ARCH_HAS_KCOV if X86_64 > select ARCH_HAS_MMIO_FLUSH > select ARCH_HAS_PMEM_API if X86_64 > diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug > index 67eec55..69cdd0b 100644 > --- a/arch/x86/Kconfig.debug > +++ b/arch/x86/Kconfig.debug > @@ -109,17 +109,6 @@ config DEBUG_WX > > If in doubt, say "Y". > > -config DEBUG_SET_MODULE_RONX > - bool "Set loadable kernel module data as NX and text as RO" > - depends on MODULES > - ---help--- > - This option helps catch unintended modifications to loadable > - kernel module's text and read-only data. It also prevents execution > - of module data. Such protection may interfere with run-time code > - patching and dynamic kernel tracing - and they might also protect > - against certain classes of kernel exploits. > - If in doubt, say "N". > - > config DEBUG_NX_TEST > tristate "Testcase for the NX non-executable stack feature" > depends on DEBUG_KERNEL && m [...] > --- a/security/Kconfig > +++ b/security/Kconfig > @@ -174,6 +174,22 @@ config HARDENED_PAGE_MAPPINGS > Unless your system has known restrictions or performance issues, it > is recommended to say Y here. > > +config ARCH_HAS_HARDENED_MODULE_MAPPINGS > + def_bool n > + > +config HARDENED_MODULE_MAPPINGS > + bool "Mark module mappings with stricter permissions (RO/W^X)" > + default y > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS It would seem that this ends up losing the previous dependency on MODULES - is that intentional? Robin. > + help > + If this is set, module text and rodata memory will be made read-only, > + and non-text memory will be made non-executable. This provides > + protection against certain security vulnerabilities (e.g. modifying > + code) > + > + Unless your system has known restrictions or performance issues, it > + is recommended to say Y here. > + > source security/selinux/Kconfig > source security/smack/Kconfig > source security/tomoyo/Kconfig > -- To unsubscribe from this list: send the line "unsubscribe linux-pm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Laura, [auto build test ERROR on linus/master] [also build test ERROR on v4.10-rc4] [cannot apply to next-20170119] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Laura-Abbott/Better-hardening-names/20170119-200343 config: i386-randconfig-c0-01201130 (attached as .config) compiler: gcc-4.9 (Debian 4.9.4-2) 4.9.4 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): arch/x86/built-in.o: In function `ftrace_arch_code_modify_prepare': >> (.text+0x3fcb7): undefined reference to `set_all_modules_text_rw' arch/x86/built-in.o: In function `ftrace_arch_code_modify_post_process': >> (.text+0x3fcc3): undefined reference to `set_all_modules_text_ro' --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
On 01/19/2017 12:43 PM, Robin Murphy wrote: > Hi Laura, > > On 19/01/17 01:29, Laura Abbott wrote: >> >> Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel >> option provides key security features that are to be expected on a >> modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which >> more accurately describes what this option is intended to do. >> >> Signed-off-by: Laura Abbott <labbott@redhat.com> >> --- > > [...] > >> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig >> index 09aff28..ef852e4 100644 >> --- a/arch/arm/Kconfig >> +++ b/arch/arm/Kconfig >> @@ -8,6 +8,7 @@ config ARM >> select ARCH_HAVE_CUSTOM_GPIO_H >> select ARCH_HAS_GCOV_PROFILE_ALL >> select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL >> + select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU >> select ARCH_MIGHT_HAVE_PC_PARPORT >> select ARCH_SUPPORTS_ATOMIC_RMW >> select ARCH_USE_BUILTIN_BSWAP >> diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug >> index d83f7c3..426d271 100644 >> --- a/arch/arm/Kconfig.debug >> +++ b/arch/arm/Kconfig.debug >> @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR >> additional instructions during context switch. Say Y here only if you >> are planning to use hardware trace tools with this kernel. >> >> -config DEBUG_SET_MODULE_RONX >> - bool "Set loadable kernel module data as NX and text as RO" >> - depends on MODULES && MMU >> - ---help--- >> - This option helps catch unintended modifications to loadable >> - kernel module's text and read-only data. It also prevents execution >> - of module data. Such protection may interfere with run-time code >> - patching and dynamic kernel tracing - and they might also protect >> - against certain classes of kernel exploits. >> - If in doubt, say "N". >> - >> source "drivers/hwtracing/coresight/Kconfig" >> >> endmenu > > [...] > >> --- a/arch/arm64/Kconfig >> +++ b/arch/arm64/Kconfig >> @@ -12,6 +12,7 @@ config ARM64 >> select ARCH_HAS_GCOV_PROFILE_ALL >> select ARCH_HAS_GIGANTIC_PAGE >> select ARCH_HAS_HARDENED_MAPPINGS >> + select ARCH_HAS_HARDENED_MODULE_MAPPINGS >> select ARCH_HAS_KCOV >> select ARCH_HAS_SG_CHAIN >> select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST >> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug >> index a26d27f..1eebe1f 100644 >> --- a/arch/arm64/Kconfig.debug >> +++ b/arch/arm64/Kconfig.debug >> @@ -71,17 +71,6 @@ config DEBUG_WX >> >> If in doubt, say "Y". >> >> -config DEBUG_SET_MODULE_RONX >> - bool "Set loadable kernel module data as NX and text as RO" >> - depends on MODULES >> - default y >> - help >> - Is this is set, kernel module text and rodata will be made read-only. >> - This is to help catch accidental or malicious attempts to change the >> - kernel's executable code. >> - >> - If in doubt, say Y. >> - >> config DEBUG_ALIGN_RODATA >> depends on ARCH_HAS_HARDENED_MAPPINGS >> bool "Align linker sections up to SECTION_SIZE" > > [...] > >> --- a/arch/s390/Kconfig >> +++ b/arch/s390/Kconfig >> @@ -69,6 +69,7 @@ config S390 >> select ARCH_HAS_GCOV_PROFILE_ALL >> select ARCH_HAS_GIGANTIC_PAGE >> select ARCH_HAS_HARDENED_MAPPINGS >> + select ARCH_HAS_HARDENED_MODULE_MAPPINGS >> select ARCH_HAS_KCOV >> select ARCH_HAS_SG_CHAIN >> select ARCH_HAS_UBSAN_SANITIZE_ALL >> diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug >> index 26c5d5be..57f8ea9 100644 >> --- a/arch/s390/Kconfig.debug >> +++ b/arch/s390/Kconfig.debug >> @@ -17,7 +17,4 @@ config S390_PTDUMP >> kernel. >> If in doubt, say "N" >> >> -config DEBUG_SET_MODULE_RONX >> - def_bool y >> - depends on MODULES >> endmenu >> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig >> index 9d80cd8..38ce850 100644 >> --- a/arch/x86/Kconfig >> +++ b/arch/x86/Kconfig >> @@ -51,6 +51,7 @@ config X86 >> select ARCH_HAS_FAST_MULTIPLIER >> select ARCH_HAS_GCOV_PROFILE_ALL >> select ARCH_HAS_HARDENED_MAPPINGS >> + select ARCH_HAS_HARDENED_MODULE_MAPPINGS >> select ARCH_HAS_KCOV if X86_64 >> select ARCH_HAS_MMIO_FLUSH >> select ARCH_HAS_PMEM_API if X86_64 >> diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug >> index 67eec55..69cdd0b 100644 >> --- a/arch/x86/Kconfig.debug >> +++ b/arch/x86/Kconfig.debug >> @@ -109,17 +109,6 @@ config DEBUG_WX >> >> If in doubt, say "Y". >> >> -config DEBUG_SET_MODULE_RONX >> - bool "Set loadable kernel module data as NX and text as RO" >> - depends on MODULES >> - ---help--- >> - This option helps catch unintended modifications to loadable >> - kernel module's text and read-only data. It also prevents execution >> - of module data. Such protection may interfere with run-time code >> - patching and dynamic kernel tracing - and they might also protect >> - against certain classes of kernel exploits. >> - If in doubt, say "N". >> - >> config DEBUG_NX_TEST >> tristate "Testcase for the NX non-executable stack feature" >> depends on DEBUG_KERNEL && m > > [...] > >> --- a/security/Kconfig >> +++ b/security/Kconfig >> @@ -174,6 +174,22 @@ config HARDENED_PAGE_MAPPINGS >> Unless your system has known restrictions or performance issues, it >> is recommended to say Y here. >> >> +config ARCH_HAS_HARDENED_MODULE_MAPPINGS >> + def_bool n >> + >> +config HARDENED_MODULE_MAPPINGS >> + bool "Mark module mappings with stricter permissions (RO/W^X)" >> + default y >> + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS > > It would seem that this ends up losing the previous dependency on > MODULES - is that intentional? > > Robin. > (Apologies, my SMTP was set up incorrectly so this didn't actually get sent out when I thought it did) No, good catch. I missed re-adding that when doing the refactoring. Thanks, Laura >> > -- To unsubscribe from this list: send the line "unsubscribe linux-pm" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/Documentation/security/self-protection.txt b/Documentation/security/self-protection.txt index da8cb36..eb018a1 100644 --- a/Documentation/security/self-protection.txt +++ b/Documentation/security/self-protection.txt @@ -52,7 +52,7 @@ made writable during the update, and then returned to the original permissions.) In support of this are CONFIG_HARDENED_PAGE_MAPPINGS and -CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not +CONFIG_HARDENED_MODULE_MAPPINGS, which seek to make sure that code is not writable, data is not executable, and read-only data is neither writable nor executable. diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 09aff28..ef852e4 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -8,6 +8,7 @@ config ARM select ARCH_HAVE_CUSTOM_GPIO_H select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_HARDENED_MAPPINGS if MMU && !XIP_KERNEL + select ARCH_HAS_HARDENED_MODULE_MAPPINGS if MMU select ARCH_MIGHT_HAVE_PC_PARPORT select ARCH_SUPPORTS_ATOMIC_RMW select ARCH_USE_BUILTIN_BSWAP diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug index d83f7c3..426d271 100644 --- a/arch/arm/Kconfig.debug +++ b/arch/arm/Kconfig.debug @@ -1738,17 +1738,6 @@ config PID_IN_CONTEXTIDR additional instructions during context switch. Say Y here only if you are planning to use hardware trace tools with this kernel. -config DEBUG_SET_MODULE_RONX - bool "Set loadable kernel module data as NX and text as RO" - depends on MODULES && MMU - ---help--- - This option helps catch unintended modifications to loadable - kernel module's text and read-only data. It also prevents execution - of module data. Such protection may interfere with run-time code - patching and dynamic kernel tracing - and they might also protect - against certain classes of kernel exploits. - If in doubt, say "N". - source "drivers/hwtracing/coresight/Kconfig" endmenu diff --git a/arch/arm/configs/aspeed_g4_defconfig b/arch/arm/configs/aspeed_g4_defconfig index 8ccc216..ffe2656 100644 --- a/arch/arm/configs/aspeed_g4_defconfig +++ b/arch/arm/configs/aspeed_g4_defconfig @@ -79,7 +79,7 @@ CONFIG_DEBUG_LL_UART_8250=y CONFIG_DEBUG_UART_PHYS=0x1e784000 CONFIG_DEBUG_UART_VIRT=0xe8784000 CONFIG_EARLY_PRINTK=y -CONFIG_DEBUG_SET_MODULE_RONX=y +CONFIG_HARDENED_MODULE_MAPPINGS=y # CONFIG_XZ_DEC_X86 is not set # CONFIG_XZ_DEC_POWERPC is not set # CONFIG_XZ_DEC_IA64 is not set diff --git a/arch/arm/configs/aspeed_g5_defconfig b/arch/arm/configs/aspeed_g5_defconfig index 90c5ce4..2ea444e 100644 --- a/arch/arm/configs/aspeed_g5_defconfig +++ b/arch/arm/configs/aspeed_g5_defconfig @@ -81,7 +81,7 @@ CONFIG_DEBUG_LL_UART_8250=y CONFIG_DEBUG_UART_PHYS=0x1e784000 CONFIG_DEBUG_UART_VIRT=0xe8784000 CONFIG_EARLY_PRINTK=y -CONFIG_DEBUG_SET_MODULE_RONX=y +CONFIG_HARDENED_MODULE_MAPPINGS=y # CONFIG_XZ_DEC_X86 is not set # CONFIG_XZ_DEC_POWERPC is not set # CONFIG_XZ_DEC_IA64 is not set diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c index 9da1bf5..eb73a76 100644 --- a/arch/arm/kernel/patch.c +++ b/arch/arm/kernel/patch.c @@ -24,7 +24,7 @@ static void __kprobes *patch_map(void *addr, int fixmap, unsigned long *flags) bool module = !core_kernel_text(uintaddr); struct page *page; - if (module && IS_ENABLED(CONFIG_DEBUG_SET_MODULE_RONX)) + if (module && IS_ENABLED(CONFIG_HARDENED_MODULE_MAPPINGS)) page = vmalloc_to_page(addr); else if (!module && IS_ENABLED(CONFIG_HARDENED_PAGE_MAPPINGS)) page = virt_to_page(addr); diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 06fed56..2fe0e98 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -12,6 +12,7 @@ config ARM64 select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_GIGANTIC_PAGE select ARCH_HAS_HARDENED_MAPPINGS + select ARCH_HAS_HARDENED_MODULE_MAPPINGS select ARCH_HAS_KCOV select ARCH_HAS_SG_CHAIN select ARCH_HAS_TICK_BROADCAST if GENERIC_CLOCKEVENTS_BROADCAST diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug index a26d27f..1eebe1f 100644 --- a/arch/arm64/Kconfig.debug +++ b/arch/arm64/Kconfig.debug @@ -71,17 +71,6 @@ config DEBUG_WX If in doubt, say "Y". -config DEBUG_SET_MODULE_RONX - bool "Set loadable kernel module data as NX and text as RO" - depends on MODULES - default y - help - Is this is set, kernel module text and rodata will be made read-only. - This is to help catch accidental or malicious attempts to change the - kernel's executable code. - - If in doubt, say Y. - config DEBUG_ALIGN_RODATA depends on ARCH_HAS_HARDENED_MAPPINGS bool "Align linker sections up to SECTION_SIZE" diff --git a/arch/arm64/kernel/insn.c b/arch/arm64/kernel/insn.c index 94b62c1..31bd53f 100644 --- a/arch/arm64/kernel/insn.c +++ b/arch/arm64/kernel/insn.c @@ -93,7 +93,7 @@ static void __kprobes *patch_map(void *addr, int fixmap) bool module = !core_kernel_text(uintaddr); struct page *page; - if (module && IS_ENABLED(CONFIG_DEBUG_SET_MODULE_RONX)) + if (module && IS_ENABLED(CONFIG_HARDENED_MODULE_MAPPINGS)) page = vmalloc_to_page(addr); else if (!module) page = pfn_to_page(PHYS_PFN(__pa(addr))); diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig index 8e70ae5..b1e6ed5 100644 --- a/arch/s390/Kconfig +++ b/arch/s390/Kconfig @@ -69,6 +69,7 @@ config S390 select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_GIGANTIC_PAGE select ARCH_HAS_HARDENED_MAPPINGS + select ARCH_HAS_HARDENED_MODULE_MAPPINGS select ARCH_HAS_KCOV select ARCH_HAS_SG_CHAIN select ARCH_HAS_UBSAN_SANITIZE_ALL diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug index 26c5d5be..57f8ea9 100644 --- a/arch/s390/Kconfig.debug +++ b/arch/s390/Kconfig.debug @@ -17,7 +17,4 @@ config S390_PTDUMP kernel. If in doubt, say "N" -config DEBUG_SET_MODULE_RONX - def_bool y - depends on MODULES endmenu diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 9d80cd8..38ce850 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -51,6 +51,7 @@ config X86 select ARCH_HAS_FAST_MULTIPLIER select ARCH_HAS_GCOV_PROFILE_ALL select ARCH_HAS_HARDENED_MAPPINGS + select ARCH_HAS_HARDENED_MODULE_MAPPINGS select ARCH_HAS_KCOV if X86_64 select ARCH_HAS_MMIO_FLUSH select ARCH_HAS_PMEM_API if X86_64 diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug index 67eec55..69cdd0b 100644 --- a/arch/x86/Kconfig.debug +++ b/arch/x86/Kconfig.debug @@ -109,17 +109,6 @@ config DEBUG_WX If in doubt, say "Y". -config DEBUG_SET_MODULE_RONX - bool "Set loadable kernel module data as NX and text as RO" - depends on MODULES - ---help--- - This option helps catch unintended modifications to loadable - kernel module's text and read-only data. It also prevents execution - of module data. Such protection may interfere with run-time code - patching and dynamic kernel tracing - and they might also protect - against certain classes of kernel exploits. - If in doubt, say "N". - config DEBUG_NX_TEST tristate "Testcase for the NX non-executable stack feature" depends on DEBUG_KERNEL && m diff --git a/include/linux/filter.h b/include/linux/filter.h index e4eb254..5426940 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -545,7 +545,7 @@ static inline bool bpf_prog_was_classic(const struct bpf_prog *prog) #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0])) -#ifdef CONFIG_DEBUG_SET_MODULE_RONX +#ifdef CONFIG_HARDENED_MODULE_MAPPINGS static inline void bpf_prog_lock_ro(struct bpf_prog *fp) { set_memory_ro((unsigned long)fp, fp->pages); @@ -563,7 +563,7 @@ static inline void bpf_prog_lock_ro(struct bpf_prog *fp) static inline void bpf_prog_unlock_ro(struct bpf_prog *fp) { } -#endif /* CONFIG_DEBUG_SET_MODULE_RONX */ +#endif /* CONFIG_HARDENED_MODULE_MAPPINGS */ int sk_filter_trim_cap(struct sock *sk, struct sk_buff *skb, unsigned int cap); static inline int sk_filter(struct sock *sk, struct sk_buff *skb) diff --git a/include/linux/init.h b/include/linux/init.h index 9967bc9..5d6b0b2 100644 --- a/include/linux/init.h +++ b/include/linux/init.h @@ -126,7 +126,7 @@ void prepare_namespace(void); void __init load_default_modules(void); int __init init_rootfs(void); -#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_DEBUG_SET_MODULE_RONX) +#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_HARDENED_MODULE_MAPPINGS) extern bool rodata_enabled; #endif #ifdef CONFIG_HARDENED_PAGE_MAPPINGS diff --git a/include/linux/module.h b/include/linux/module.h index 7c84273..a4f6926 100644 --- a/include/linux/module.h +++ b/include/linux/module.h @@ -764,7 +764,7 @@ extern int module_sysfs_initialized; #define __MODULE_STRING(x) __stringify(x) -#ifdef CONFIG_DEBUG_SET_MODULE_RONX +#ifdef CONFIG_HARDENED_MODULE_MAPPINGS extern void set_all_modules_text_rw(void); extern void set_all_modules_text_ro(void); extern void module_enable_ro(const struct module *mod, bool after_init); diff --git a/init/main.c b/init/main.c index 4b3bcc4..1545399 100644 --- a/init/main.c +++ b/init/main.c @@ -925,7 +925,7 @@ static int try_to_run_init_process(const char *init_filename) static noinline void __init kernel_init_freeable(void); -#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_DEBUG_SET_MODULE_RONX) +#if defined(CONFIG_HARDENED_PAGE_MAPPINGS) || defined(CONFIG_HARDENED_MODULE_MAPPINGS) bool rodata_enabled __ro_after_init = true; static int __init set_debug_rodata(char *str) { diff --git a/kernel/module.c b/kernel/module.c index 38d4270..eb2f865 100644 --- a/kernel/module.c +++ b/kernel/module.c @@ -74,9 +74,9 @@ /* * Modules' sections will be aligned on page boundaries * to ensure complete separation of code and data, but - * only when CONFIG_DEBUG_SET_MODULE_RONX=y + * only when CONFIG_HARDENED_MODULE_MAPPINGS=y */ -#ifdef CONFIG_DEBUG_SET_MODULE_RONX +#ifdef CONFIG_HARDENED_MODULE_MAPPINGS # define debug_align(X) ALIGN(X, PAGE_SIZE) #else # define debug_align(X) (X) @@ -1847,7 +1847,7 @@ static void mod_sysfs_teardown(struct module *mod) mod_sysfs_fini(mod); } -#ifdef CONFIG_DEBUG_SET_MODULE_RONX +#ifdef CONFIG_HARDENED_MODULE_MAPPINGS /* * LKM RO/NX protection: protect module's text/ro-data * from modification and any data from execution. diff --git a/security/Kconfig b/security/Kconfig index ad6ce82..0f98d6b 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -174,6 +174,22 @@ config HARDENED_PAGE_MAPPINGS Unless your system has known restrictions or performance issues, it is recommended to say Y here. +config ARCH_HAS_HARDENED_MODULE_MAPPINGS + def_bool n + +config HARDENED_MODULE_MAPPINGS + bool "Mark module mappings with stricter permissions (RO/W^X)" + default y + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS + help + If this is set, module text and rodata memory will be made read-only, + and non-text memory will be made non-executable. This provides + protection against certain security vulnerabilities (e.g. modifying + code) + + Unless your system has known restrictions or performance issues, it + is recommended to say Y here. + source security/selinux/Kconfig source security/smack/Kconfig source security/tomoyo/Kconfig
Despite the word 'debug' in CONFIG_DEBUG_SET_MODULE_RONX, this kernel option provides key security features that are to be expected on a modern system. Change the name to CONFIG_HARDENED_MODULE_MAPPINGS which more accurately describes what this option is intended to do. Signed-off-by: Laura Abbott <labbott@redhat.com> --- Documentation/security/self-protection.txt | 2 +- arch/arm/Kconfig | 1 + arch/arm/Kconfig.debug | 11 ----------- arch/arm/configs/aspeed_g4_defconfig | 2 +- arch/arm/configs/aspeed_g5_defconfig | 2 +- arch/arm/kernel/patch.c | 2 +- arch/arm64/Kconfig | 1 + arch/arm64/Kconfig.debug | 11 ----------- arch/arm64/kernel/insn.c | 2 +- arch/s390/Kconfig | 1 + arch/s390/Kconfig.debug | 3 --- arch/x86/Kconfig | 1 + arch/x86/Kconfig.debug | 11 ----------- include/linux/filter.h | 4 ++-- include/linux/init.h | 2 +- include/linux/module.h | 2 +- init/main.c | 2 +- kernel/module.c | 6 +++--- security/Kconfig | 16 ++++++++++++++++ 19 files changed, 33 insertions(+), 49 deletions(-)