Closed anthraxx closed 6 years ago
Did you tested this? That patch caused build failures when I was porting it to 4.16 couple months ago.
@Bernhard40 its WIP, maybe i should reflect in the title until considered good
I recommend dropping below changes:
@@ -100,7 +100,16 @@
Note that entropy extracted this way is not cryptographically
secure!
-@@ -735,7 +740,7 @@ config ARCH_MMAP_RND_BITS
+@@ -541,7 +546,7 @@ config HAVE_CC_STACKPROTECTOR
+ choice
+ prompt "Stack Protector buffer overflow detection"
+ depends on HAVE_CC_STACKPROTECTOR
+- default CC_STACKPROTECTOR_AUTO
++ default CC_STACKPROTECTOR_STRONG
+ help
+ This option turns on the "stack-protector" GCC feature. This
+ feature puts, at the beginning of functions, a canary value on
+@@ -747,7 +752,7 @@ config ARCH_MMAP_RND_BITS
int "Number of bits to use for ASLR of mmap base address" if EXPERT
range ARCH_MMAP_RND_BITS_MIN ARCH_MMAP_RND_BITS_MAX
default ARCH_MMAP_RND_BITS_DEFAULT if ARCH_MMAP_RND_BITS_DEFAULT
@@ -1931,7 +1940,16 @@
help
Select this option if the kernel should BUG when it encounters
data corruption in kernel memory structures when they get checked
-@@ -1971,6 +1974,7 @@ config STRICT_DEVMEM
+@@ -1969,7 +1972,7 @@ config STRICT_DEVMEM
+ bool "Filter access to /dev/mem"
+ depends on MMU && DEVMEM
+ depends on ARCH_HAS_DEVMEM_IS_ALLOWED
+- default y if TILE || PPC || X86 || ARM64
++ default y
+ ---help---
+ If this option is disabled, you allow userspace (root) access to all
+ of memory, including kernel and userspace memory. Accidental
+@@ -1988,6 +1991,7 @@ config STRICT_DEVMEM
config IO_STRICT_DEVMEM
bool "Filter I/O access to /dev/mem"
depends on STRICT_DEVMEM
They are redundant after upstream changes in 4.16. CC_STACKPROTECTOR_STRONG
will be automatically selected if compiler supports it, no point in making it explicit. STRICT_DEVMEM
will be default for X86 || ARM64
, the two supported arches, there is no point to enabling it anywhere else.
Plus dropping patch I already mentioned above.
Otherwise everything looks good and it's similar to what I already tested for about 2 months.
I did a rebase with some commits left out. I'm not planning on tagging a release for 4.16 with the current state of things though.
The following commits were dropped since they're no longer required:
regulatory: add NUL to request alpha2 enable STRICT_DEVMEM by default everywhere enable CC_STACKPROTECTOR_STRONG by default
The following was dropped due to being out-of-scope for downstream linux-hardened:
enable SECURITY_TIOCSTI_RESTRICT by default security: tty: make TIOCSTI ioctl require CAP_SYS_ADMIN security: tty: Add owner user namespace to tty_struct
An ioctl whitelist for TTY devices can be made with a trivial SELinux policy without even using more than a single global unconfined
domain. For reference:
https://android.googlesource.com/platform/system/sepolicy/+/android-8.1.0_r20/public/domain.te#209 https://android.googlesource.com/platform/system/sepolicy/+/android-8.1.0_r20/public/ioctl_macros#51
The following was dropped because it has no use without type-based CFI, and Google will be handling that upstream:
drivers/media: improve the return type of a bunch of .get_frontend_algo callbacks.
tiny adjustements on some patches