From 6b175bc9fd304d1cfed6bf81e43b911889970494 Mon Sep 17 00:00:00 2001 From: Romain Perier Date: Mon, 11 Feb 2019 17:28:09 +0100 Subject: [PATCH] Enable STRICT_MODULE_RWX With this option set, module text and rodata memory areas will be made read-only. Moreover, non-text memory will be made non-executable. This provides protection against certain security exploits. Currently, this option is implicitly enabled in Kconfig for most configurations where it is possible to enable it. This commit enables the option by default explictly for all supported targets (except marvell to keep it small) --- debian/changelog | 1 + debian/config/armel/config.marvell | 1 + debian/config/config | 1 + 3 files changed, 3 insertions(+) diff --git a/debian/changelog b/debian/changelog index f6ad84320..187b853b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -642,6 +642,7 @@ linux (4.19.26-1) UNRELEASED; urgency=medium * [rt] Update to 4.19.25-rt16 * [armel/rpi] Add flavour for Raspberry Pi and Raspberry Pi Zero * [armel, armhf] Enable CRASH_DUMP + * Enable STRICT_MODULE_RWX -- Ben Hutchings Tue, 12 Feb 2019 12:49:10 +0000 diff --git a/debian/config/armel/config.marvell b/debian/config/armel/config.marvell index b1d28c565..5c29f6b9a 100644 --- a/debian/config/armel/config.marvell +++ b/debian/config/armel/config.marvell @@ -4,6 +4,7 @@ # CONFIG_KPROBES is not set # CONFIG_STACKPROTECTOR_STRONG is not set # CONFIG_STRICT_KERNEL_RWX is not set +# CONFIG_STRICT_MODULE_RWX is not set ## ## file: arch/arm/Kconfig diff --git a/debian/config/config b/debian/config/config index 562f30baa..0610a3bb3 100644 --- a/debian/config/config +++ b/debian/config/config @@ -9,6 +9,7 @@ CONFIG_STACKPROTECTOR=y CONFIG_STACKPROTECTOR_STRONG=y CONFIG_VMAP_STACK=y CONFIG_STRICT_KERNEL_RWX=y +CONFIG_STRICT_MODULE_RWX=y ## ## file: block/Kconfig