[PATCH v2] UBUNTU: [Config] armhf: ARM_KERNMEM_PERMS=y && DEBUG_RODATA=y

Paolo Pisati paolo.pisati at canonical.com
Tue Mar 31 15:58:41 UTC 2015


Much like DEBUG_SET_MODULE_RONX, this option makes kernel text and rodata
read-only. This is to help catch accidental or malicious attempts to change the
kernel's executable code. Additionally splits rodata from kernel text so it can
be made explicitly non-executable. But contrary to DEBUG_SET_MODULE_RONX, it
covers all kernel code instead of working on modules sections only.

Signed-off-by: Paolo Pisati <paolo.pisati at canonical.com>
---
 debian.master/config/annotations          | 4 ++--
 debian.master/config/config.common.ubuntu | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian.master/config/annotations b/debian.master/config/annotations
index 0bd8034..327c39f 100644
--- a/debian.master/config/annotations
+++ b/debian.master/config/annotations
@@ -2917,10 +2917,10 @@ CONFIG_PANIC_TIMEOUT				0
 CONFIG_STACKTRACE				y
 CONFIG_PROVIDE_OHCI1394_DMA_INIT		n
 CONFIG_STRICT_DEVMEM				y mark<ENFORCED>
-CONFIG_DEBUG_RODATA				p mark<ENFORCED> policy<{'amd64': 'y', 'i386': 'y'}>
+CONFIG_DEBUG_RODATA				p mark<ENFORCED> policy<{'amd64': 'y', 'i386': 'y', 'armhf': 'y'}>
 CONFIG_DEBUG_SET_MODULE_RONX			p mark<ENFORCED> policy<{'powerpc': '-', 'ppc64el': '-', '*': 'y'}>
 CONFIG_EARLY_PRINTK				y
-CONFIG_DEBUG_RODATA				p policy<{'amd64': 'y', 'i386': 'y'}>
+CONFIG_DEBUG_RODATA				p policy<{'amd64': 'y', 'i386': 'y', 'armhf': 'y'}>
 
 # Menu: Kernel hacking >> Architecture: arm
 CONFIG_ARM_PTDUMP				p policy<{'armhf': 'n'}>
diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
index 7e529f8..9b7c1c5 100644
--- a/debian.master/config/config.common.ubuntu
+++ b/debian.master/config/config.common.ubuntu
@@ -477,7 +477,7 @@ CONFIG_ARM_GLOBAL_TIMER=y
 CONFIG_ARM_HAS_SG_CHAIN=y
 CONFIG_ARM_HIGHBANK_CPUFREQ=m
 CONFIG_ARM_IMX6Q_CPUFREQ=m
-# CONFIG_ARM_KERNMEM_PERMS is not set
+CONFIG_ARM_KERNMEM_PERMS=y
 # CONFIG_ARM_KIRKWOOD_CPUFREQ is not set
 CONFIG_ARM_KPROBES_TEST=m
 CONFIG_ARM_L1_CACHE_SHIFT=6
-- 
2.1.4





More information about the kernel-team mailing list