Re: [PATCH v2] module: Harden STRICT_MODULE_RWX

[Jessica Yu]

+++ Peter Zijlstra [08/04/20 17:57 +0200]:
[..snip..]
> > Just to clarify, did we want to enforce this only when
> > CONFIG_STRICT_MODULE_RWX=y?  Because here it's still in the
> > CONFIG_ARCH_HAS_STRICT_MODULE_RWX block.
> >
> > Unfortunately, when we add module_enforce_rwx_sections() in the
> > CONFIG_STRICT_MODULE_RWX block, we'll need two empty stubs, one for
> > !CONFIG_ARCH_HAS_STRICT_MODULE_RWX and one for !CONFIG_STRICT_MODULE_RWX.
> >
> > This is because the CONFIG_STRICT_MODULE_RWX block is currently nested
> > within ARCH_HAS_STRICT_MODULE_RWX :/
>
> Yeah, so the primary reason it's under that ARCH_HAS thing is indeed the
> mess and the extra stub required (I'm a lazy sod at times).

Heh :-)

> I then rationalized this decision to myself that having it under
> ARCH_HAS give a more consistent module loading behaviour.
>
> But I really don't care too much, my most my .config's have
> CONFIG_MODULE=n, and the ones that do not very much have the STRICT_RWX
> set.
>
> Put it where you think it's best.

I don't really mind either way, but my gut tells me I should just move
that hunk under STRICT_MODULE_RWX just to be consistent with STRICT
vs. non STRICT semantics. No need to respin, I'll rebase after I queue
the other patch.

Thanks!

Jessica