Enable STRICT_MODULE_RWX
With this option set, module text and rodata memory areas will be made read-only. Moreover, non-text memory will be made non-executable. This provides protection against certain security exploits. Currently, this option is implicitly enabled in Kconfig for most configurations where it is possible to enable it. This commit enables the option by default explictly for all supported targets (except marvell to keep it small)
This commit is contained in:
parent
693bbd783d
commit
6b175bc9fd
|
@ -642,6 +642,7 @@ linux (4.19.26-1) UNRELEASED; urgency=medium
|
||||||
* [rt] Update to 4.19.25-rt16
|
* [rt] Update to 4.19.25-rt16
|
||||||
* [armel/rpi] Add flavour for Raspberry Pi and Raspberry Pi Zero
|
* [armel/rpi] Add flavour for Raspberry Pi and Raspberry Pi Zero
|
||||||
* [armel, armhf] Enable CRASH_DUMP
|
* [armel, armhf] Enable CRASH_DUMP
|
||||||
|
* Enable STRICT_MODULE_RWX
|
||||||
|
|
||||||
-- Ben Hutchings <ben@decadent.org.uk> Tue, 12 Feb 2019 12:49:10 +0000
|
-- Ben Hutchings <ben@decadent.org.uk> Tue, 12 Feb 2019 12:49:10 +0000
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,7 @@
|
||||||
# CONFIG_KPROBES is not set
|
# CONFIG_KPROBES is not set
|
||||||
# CONFIG_STACKPROTECTOR_STRONG is not set
|
# CONFIG_STACKPROTECTOR_STRONG is not set
|
||||||
# CONFIG_STRICT_KERNEL_RWX is not set
|
# CONFIG_STRICT_KERNEL_RWX is not set
|
||||||
|
# CONFIG_STRICT_MODULE_RWX is not set
|
||||||
|
|
||||||
##
|
##
|
||||||
## file: arch/arm/Kconfig
|
## file: arch/arm/Kconfig
|
||||||
|
|
|
@ -9,6 +9,7 @@ CONFIG_STACKPROTECTOR=y
|
||||||
CONFIG_STACKPROTECTOR_STRONG=y
|
CONFIG_STACKPROTECTOR_STRONG=y
|
||||||
CONFIG_VMAP_STACK=y
|
CONFIG_VMAP_STACK=y
|
||||||
CONFIG_STRICT_KERNEL_RWX=y
|
CONFIG_STRICT_KERNEL_RWX=y
|
||||||
|
CONFIG_STRICT_MODULE_RWX=y
|
||||||
|
|
||||||
##
|
##
|
||||||
## file: block/Kconfig
|
## file: block/Kconfig
|
||||||
|
|
Loading…
Reference in New Issue