[PATCH] security/Kconfig: further restrict HARDENED_USERCOPY

From: Tycho Andersen
Date: Thu Mar 09 2017 - 12:31:55 EST

Next message: Arushi Singhal: "[PATCH 3/4] staging: speakup: Alignment match open parenthesis"
Previous message: Greg KH: "Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting"
Next in thread: Kees Cook: "Re: [PATCH] security/Kconfig: further restrict HARDENED_USERCOPY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It doesn't make sense to have HARDENED_USERCOPY when either /dev/kmem is
enabled or /dev/mem can be used to read kernel memory.

v2: add !MMU depend as well

Signed-off-by: Tycho Andersen <tycho@xxxxxxxxxx>
CC: Kees Cook <keescook@xxxxxxxxxxxx>
CC: "Serge E. Hallyn" <serge@xxxxxxxxxx>
CC: James Morris <james.l.morris@xxxxxxxxxx>
---
security/Kconfig | 2 ++
1 file changed, 2 insertions(+)

diff --git a/security/Kconfig b/security/Kconfig
index 3ff1bf9..aeabd40 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -142,6 +142,8 @@ config HARDENED_USERCOPY
bool "Harden memory copies between kernel and userspace"
depends on HAVE_ARCH_HARDENED_USERCOPY
depends on HAVE_HARDENED_USERCOPY_ALLOCATOR
+ depends on !DEVKMEM
+ depends on !ARCH_HAS_DEVMEM_IS_ALLOWED || STRICT_DEVMEM || !MMU
select BUG
help
This option checks for obviously wrong memory regions when
--
2.7.4

Next message: Arushi Singhal: "[PATCH 3/4] staging: speakup: Alignment match open parenthesis"
Previous message: Greg KH: "Re: [Regression?] 1ea0ce4069 ("selinux: allow changing labels for cgroupfs") stops Android from booting"
Next in thread: Kees Cook: "Re: [PATCH] security/Kconfig: further restrict HARDENED_USERCOPY"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]