HARDENED_USERCOPY defaults to on if enabled at compile time. Allow
hardened_usercopy= default to be set at compile time similar to
init_on_alloc= and init_on_free=. The intent is that hardening
options that can be disabled at runtime can set their default at
build time.
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Link: https://lore.kernel.org/r/20250123221115.19722-3-mgorman@techsingularity.net
Signed-off-by: Kees Cook <kees@kernel.org>
allocation boundaries as a proactive defense
against bounds-checking flaws in the kernel's
copy_to_user()/copy_from_user() interface.
- on Perform hardened usercopy checks (default).
+ The default is determined by
+ CONFIG_HARDENED_USERCOPY_DEFAULT_ON.
+ on Perform hardened usercopy checks.
off Disable hardened usercopy checks.
hardlockup_all_cpu_backtrace=
}
EXPORT_SYMBOL(__check_object_size);
-static bool enable_checks __initdata = true;
+static bool enable_checks __initdata =
+ IS_ENABLED(CONFIG_HARDENED_USERCOPY_DEFAULT_ON);
static int __init parse_hardened_usercopy(char *str)
{
or are part of the kernel text. This prevents entire classes
of heap overflow exploits and similar kernel memory exposures.
+config HARDENED_USERCOPY_DEFAULT_ON
+ bool "Harden memory copies by default"
+ depends on HARDENED_USERCOPY
+ default HARDENED_USERCOPY
+ help
+ This has the effect of setting "hardened_usercopy=on" on the kernel
+ command line. This can be disabled with "hardened_usercopy=off".
+
endmenu
menu "Hardening of kernel data structures"
gentwo / linux / .git / commitdiff