[PATCH 2/2] security: Change name of CONFIG_DEBUG_SET_MODULE_RONX
Heiko Carstens
heiko.carstens at de.ibm.com
Thu Jan 19 03:34:06 PST 2017
On Thu, Jan 19, 2017 at 11:11:18AM +0000, Mark Rutland wrote:
> > +config HARDENED_MODULE_MAPPINGS
> > + bool "Mark module mappings with stricter permissions (RO/W^X)"
> > + default y
> > + depends on ARCH_HAS_HARDENED_MODULE_MAPPINGS
> > + help
> > + If this is set, module text and rodata memory will be made read-only,
> > + and non-text memory will be made non-executable. This provides
> > + protection against certain security vulnerabilities (e.g. modifying
> > + code)
> > +
> > + Unless your system has known restrictions or performance issues, it
> > + is recommended to say Y here.
> > +
>
> I was hoping that we'd make this mandatory, as we'd already done for
> DEBUG_RODATA.
Same for s390: would be good to make this mandatory.
More information about the linux-arm-kernel
mailing list