Comments (4)
thestinger
commented on July 30, 2024
This is partly motivated by CONFIG_DEBUG_NOTIFIERS being buggy on some architectures. It works properly on x86 but we had issues with it on arm64 previously. It's the only user of func_ptr_is_kernel_text so there's little motivation for that function to work universally for such a niche feature that's no longer even useful if you use CFI. The whole feature is this:
#ifdef CONFIG_DEBUG_NOTIFIERS
if (unlikely(!func_ptr_is_kernel_text(nb->notifier_call))) {
WARN(1, "Invalid notifier called!");
nb = next_nb;
continue;
}
#endiffrom kconfig-hardened-check.
a13xp0p0v
commented on July 30, 2024
@thestinger, thanks for the idea!
Added the commit cd5bb8a.
from kconfig-hardened-check.
a13xp0p0v
commented on July 30, 2024
One moment, you are right, CFI_PERMISSIVE should be disabled as well.
from kconfig-hardened-check.
a13xp0p0v
commented on July 30, 2024
Added the commit 65ff79d.
Now the verbose result for checking this config ...
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_CFI_CLANG=y
CONFIG_CFI_PERMISSIVE=y
... looks like that:
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | FAIL: "is not set"
CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
<<< AND >>> | FAIL: CONFIG_CFI_PERMISSIVE is not "is not set"
CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | OK
CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | FAIL: "y"
-------------------------------------------------------------------------------------------------------------------------
And the verbose result of checking this config...
# CONFIG_DEBUG_NOTIFIERS is not set
CONFIG_CFI_CLANG=y
# CONFIG_CFI_PERMISSIVE is not set
... looks like that:
-------------------------------------------------------------------------------------------------------------------------
<<< OR >>> | OK: CONFIG_CFI_CLANG is "y"
CONFIG_DEBUG_NOTIFIERS |kconfig| y | kspp | self_protection | FAIL: "is not set"
<<< AND >>> | OK
CONFIG_CFI_CLANG |kconfig| y | kspp | self_protection | OK
CONFIG_CFI_PERMISSIVE |kconfig| is not set | kspp | self_protection | OK
-------------------------------------------------------------------------------------------------------------------------
from kconfig-hardened-check.
Related Issues (20)
- CONFIG_COMPAT_VDSO has a completely different meaning for arm64 and recommending disabling it doesn't make sense there HOT 3
- CONFIG_ARCH_MMAP_RND_BITS check is wrong for arm64 HOT 3
- drop check for dependency-only CONFIG_GCC_PLUGINS due to Clang HOT 3
- add disabling CONFIG_AIO (legacy POSIX AIO) as a recommendation HOT 1
- add check for CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=0x0 too HOT 10
- add check for UNWIND_PATCH_PAC_INTO_SCS, which reduces security compared to using both PAC + SCS HOT 4
- Minimal kernel version ? HOT 1
- New CONFIG_MODULE_SIG_SHA3_512 option in kernel 6.7 HOT 1
- Better json output HOT 4
- Add io_uring_disabled sysctl to disable/limit io_uring creation
- Reducing Kernel Symbols on File System by Disabling CONFIG_VMLINUX_MAP and CONFIG_DEBUG_KERNEL HOT 2
- Kernel Debug Metadata Access with CONFIG_DYNAMIC_DEBUG HOT 3
- Add ia32_emulation kernel cmdline parameter to disable 32-bit emulation support on 64-bit x86 CPUs HOT 1
- False positive on CONFIG_REFCOUNT_FULL in recent 5.4.x kernels HOT 1
- new make hardening.config available HOT 2
- Check for module force loading? HOT 1
- new tag? HOT 2
- Get rid of CONFIG_DEBUG_CREDENTIALS HOT 3
- skip CONFIG_SCHED_STACK_END_CHECK requirement when CONFIG_VMAP_STACK is set HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kconfig-hardened-check.