summaryrefslogtreecommitdiffstats
path: root/Documentation/security
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2017-02-21 17:56:45 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2017-02-21 17:56:45 -0800
commit7bb033829ef3ecfc491c0ed0197966e8f197fbdc (patch)
tree9bf410d9726a351970e83bf5f189b5f10035d6f6 /Documentation/security
parent4a0853bf88c8f56e1c01eda02e6625aed09d55d9 (diff)
parent0f5bf6d0afe4be6e1391908ff2d6dc9730e91550 (diff)
downloadlinux-stable-7bb033829ef3ecfc491c0ed0197966e8f197fbdc.tar.gz
linux-stable-7bb033829ef3ecfc491c0ed0197966e8f197fbdc.tar.bz2
linux-stable-7bb033829ef3ecfc491c0ed0197966e8f197fbdc.zip
Merge tag 'rodata-v4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull rodata updates from Kees Cook: "This renames the (now inaccurate) DEBUG_RODATA and related SET_MODULE_RONX configs to the more sensible STRICT_KERNEL_RWX and STRICT_MODULE_RWX" * tag 'rodata-v4.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: arch: Rename CONFIG_DEBUG_RODATA and CONFIG_DEBUG_MODULE_RONX arch: Move CONFIG_DEBUG_RODATA and CONFIG_SET_MODULE_RONX to be common
Diffstat (limited to 'Documentation/security')
-rw-r--r--Documentation/security/self-protection.txt10
1 files changed, 8 insertions, 2 deletions
diff --git a/Documentation/security/self-protection.txt b/Documentation/security/self-protection.txt
index 3010576c9fca..141acfebe6ef 100644
--- a/Documentation/security/self-protection.txt
+++ b/Documentation/security/self-protection.txt
@@ -51,11 +51,17 @@ kernel, they are implemented in a way where the memory is temporarily
made writable during the update, and then returned to the original
permissions.)
-In support of this are (the poorly named) CONFIG_DEBUG_RODATA and
-CONFIG_DEBUG_SET_MODULE_RONX, which seek to make sure that code is not
+In support of this are CONFIG_STRICT_KERNEL_RWX and
+CONFIG_STRICT_MODULE_RWX, which seek to make sure that code is not
writable, data is not executable, and read-only data is neither writable
nor executable.
+Most architectures have these options on by default and not user selectable.
+For some architectures like arm that wish to have these be selectable,
+the architecture Kconfig can select ARCH_OPTIONAL_KERNEL_RWX to enable
+a Kconfig prompt. CONFIG_ARCH_OPTIONAL_KERNEL_RWX_DEFAULT determines
+the default setting when ARCH_OPTIONAL_KERNEL_RWX is enabled.
+
#### Function pointers and sensitive variables must not be writable
Vast areas of kernel memory contain function pointers that are looked