[PATCH v3] security/Kconfig: further restrict HARDENED_USERCOPY

From: Tycho Andersen
Date: Thu Mar 09 2017 - 16:29:33 EST

Next message: David Miller: "Re: [PATCH v2 net-next] net: dwc-xlgmac: Initial driver for DesignWare Enterprise Ethernet"
Previous message: Andrew Morton: "Re: "mm: fix lazyfree BUG_ON check in try_to_unmap_one()" build error"
Next in thread: Kees Cook: "Re: [PATCH v3] security/Kconfig: further restrict HARDENED_USERCOPY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory (i.e.
!STRICT_DEVMEM).

v2: add !MMU depend as well
v3: drop !MMU, s/ARCH_HAS_DEVMEM_IS_ALLOWED/DEVMEM, which makes the above
commit message actually match the logic again

Signed-off-by: Tycho Andersen <tycho@xxxxxxxxxx>
CC: Kees Cook <keescook@xxxxxxxxxxxx>
CC: "Serge E. Hallyn" <serge@xxxxxxxxxx>
CC: James Morris <james.l.morris@xxxxxxxxxx>
---
security/Kconfig | 2 ++
1 file changed, 2 insertions(+)

diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..4619cee 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -142,6 +142,8 @@ config HARDENED_USERCOPY
bool "Harden memory copies between kernel and userspace"
depends on HAVE_ARCH_HARDENED_USERCOPY
depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
+ depends on !DEVKMEM
+ depends on !DEVMEM || STRICT_DEVMEM
select BUG
help
This option checks for obviously wrong memory regions when
--
2.7.4

Next message: David Miller: "Re: [PATCH v2 net-next] net: dwc-xlgmac: Initial driver for DesignWare Enterprise Ethernet"
Previous message: Andrew Morton: "Re: "mm: fix lazyfree BUG_ON check in try_to_unmap_one()" build error"
Next in thread: Kees Cook: "Re: [PATCH v3] security/Kconfig: further restrict HARDENED_USERCOPY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]