[RFC] module: add 'module_ronx=off' boot cmdline parameter to disable ro/nx module mappings

From: AKASHI Takahiro
Date: Tue Oct 18 2016 - 02:02:11 EST


As making CONFIG_DEBUG_RODATA mandatory is a good idea, so will be
for CONFIG_SET_MODULE_RONX.
This patch adds a command line parameter, "module_ronx=," in order to
make this configuration always on in the future, but still allowing for
disabling read-only module mappings at boot time as "rodata=" does.

I have, however, some concerns on this prototype:
(1) should we use a separate parameter like "module_ronx=," or
unify it with "rodata="?
(2) should we keep NX permission set even if module_ronx=off?

I tested this patch with:
- insmod lkdtm.ko cpoint_name=DIRECT cpoint_type="WRITE_KERN"
- insmod lkdtm.ko cpoint_name=DIRECT cpoint_type="WRITE_RO"
- insmod lkdtm.ko cpoint_name=DIRECT cpoint_type="EXEC_DATA"

WRITE_RO_AFTER_INIT case doesn't fail because the test is executed
*before* setting the ro_after_init data ro.

Any comments are welcome.

Thanks,
-Takahiro AKASHI
===8<===