mirror of
https://github.com/torvalds/linux.git
synced 2024-11-29 23:51:37 +00:00
28f0c335dd
devtmpfs is writable. Add the noexec and nosuid as default mount flags to prevent code execution from /dev. The systems who don't use systemd and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by this patch. Other systems are fine with the udev solution. No sane program should be relying on executing from /dev. So this patch reduces the attack surface. It doesn't prevent any specific attack, but it reduces the possibility that someone can use /dev as a place to put executable code. Chrome OS has been carrying this patch for several years. It seems trivial and simple solution to improve the protection of /dev when CONFIG_DEVTMPFS_MOUNT=y. Original patch: https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/ Cc: ellyjones@chromium.org Cc: Kay Sievers <kay@vrfy.org> Cc: Roland Eggner <edvx1@systemanalysen.net> Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com> Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
234 lines
7.4 KiB
Plaintext
234 lines
7.4 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
menu "Generic Driver Options"
|
|
|
|
config AUXILIARY_BUS
|
|
bool
|
|
|
|
config UEVENT_HELPER
|
|
bool "Support for uevent helper"
|
|
help
|
|
The uevent helper program is forked by the kernel for
|
|
every uevent.
|
|
Before the switch to the netlink-based uevent source, this was
|
|
used to hook hotplug scripts into kernel device events. It
|
|
usually pointed to a shell script at /sbin/hotplug.
|
|
This should not be used today, because usual systems create
|
|
many events at bootup or device discovery in a very short time
|
|
frame. One forked process per event can create so many processes
|
|
that it creates a high system load, or on smaller systems
|
|
it is known to create out-of-memory situations during bootup.
|
|
|
|
config UEVENT_HELPER_PATH
|
|
string "path to uevent helper"
|
|
depends on UEVENT_HELPER
|
|
default ""
|
|
help
|
|
To disable user space helper program execution at by default
|
|
specify an empty string here. This setting can still be altered
|
|
via /proc/sys/kernel/hotplug or via /sys/kernel/uevent_helper
|
|
later at runtime.
|
|
|
|
config DEVTMPFS
|
|
bool "Maintain a devtmpfs filesystem to mount at /dev"
|
|
help
|
|
This creates a tmpfs/ramfs filesystem instance early at bootup.
|
|
In this filesystem, the kernel driver core maintains device
|
|
nodes with their default names and permissions for all
|
|
registered devices with an assigned major/minor number.
|
|
Userspace can modify the filesystem content as needed, add
|
|
symlinks, and apply needed permissions.
|
|
It provides a fully functional /dev directory, where usually
|
|
udev runs on top, managing permissions and adding meaningful
|
|
symlinks.
|
|
In very limited environments, it may provide a sufficient
|
|
functional /dev without any further help. It also allows simple
|
|
rescue systems, and reliably handles dynamic major/minor numbers.
|
|
|
|
Notice: if CONFIG_TMPFS isn't enabled, the simpler ramfs
|
|
file system will be used instead.
|
|
|
|
config DEVTMPFS_MOUNT
|
|
bool "Automount devtmpfs at /dev, after the kernel mounted the rootfs"
|
|
depends on DEVTMPFS
|
|
help
|
|
This will instruct the kernel to automatically mount the
|
|
devtmpfs filesystem at /dev, directly after the kernel has
|
|
mounted the root filesystem. The behavior can be overridden
|
|
with the commandline parameter: devtmpfs.mount=0|1.
|
|
This option does not affect initramfs based booting, here
|
|
the devtmpfs filesystem always needs to be mounted manually
|
|
after the rootfs is mounted.
|
|
With this option enabled, it allows to bring up a system in
|
|
rescue mode with init=/bin/sh, even when the /dev directory
|
|
on the rootfs is completely empty.
|
|
|
|
config DEVTMPFS_SAFE
|
|
bool "Use nosuid,noexec mount options on devtmpfs"
|
|
depends on DEVTMPFS
|
|
help
|
|
This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
|
|
flags when mounting devtmpfs.
|
|
|
|
Notice: If enabled, things like /dev/mem cannot be mmapped
|
|
with the PROT_EXEC flag. This can break, for example, non-KMS
|
|
video drivers.
|
|
|
|
config STANDALONE
|
|
bool "Select only drivers that don't need compile-time external firmware"
|
|
default y
|
|
help
|
|
Select this option if you don't have magic firmware for drivers that
|
|
need it.
|
|
|
|
If unsure, say Y.
|
|
|
|
config PREVENT_FIRMWARE_BUILD
|
|
bool "Disable drivers features which enable custom firmware building"
|
|
default y
|
|
help
|
|
Say yes to disable driver features which enable building a custom
|
|
driver firmware at kernel build time. These drivers do not use the
|
|
kernel firmware API to load firmware (CONFIG_FW_LOADER), instead they
|
|
use their own custom loading mechanism. The required firmware is
|
|
usually shipped with the driver, building the driver firmware
|
|
should only be needed if you have an updated firmware source.
|
|
|
|
Firmware should not be being built as part of kernel, these days
|
|
you should always prevent this and say Y here. There are only two
|
|
old drivers which enable building of its firmware at kernel build
|
|
time:
|
|
|
|
o CONFIG_WANXL through CONFIG_WANXL_BUILD_FIRMWARE
|
|
o CONFIG_SCSI_AIC79XX through CONFIG_AIC79XX_BUILD_FIRMWARE
|
|
|
|
source "drivers/base/firmware_loader/Kconfig"
|
|
|
|
config WANT_DEV_COREDUMP
|
|
bool
|
|
help
|
|
Drivers should "select" this option if they desire to use the
|
|
device coredump mechanism.
|
|
|
|
config ALLOW_DEV_COREDUMP
|
|
bool "Allow device coredump" if EXPERT
|
|
default y
|
|
help
|
|
This option controls if the device coredump mechanism is available or
|
|
not; if disabled, the mechanism will be omitted even if drivers that
|
|
can use it are enabled.
|
|
Say 'N' for more sensitive systems or systems that don't want
|
|
to ever access the information to not have the code, nor keep any
|
|
data.
|
|
|
|
If unsure, say Y.
|
|
|
|
config DEV_COREDUMP
|
|
bool
|
|
default y if WANT_DEV_COREDUMP
|
|
depends on ALLOW_DEV_COREDUMP
|
|
|
|
config DEBUG_DRIVER
|
|
bool "Driver Core verbose debug messages"
|
|
depends on DEBUG_KERNEL
|
|
help
|
|
Say Y here if you want the Driver core to produce a bunch of
|
|
debug messages to the system log. Select this if you are having a
|
|
problem with the driver core and want to see more of what is
|
|
going on.
|
|
|
|
If you are unsure about this, say N here.
|
|
|
|
config DEBUG_DEVRES
|
|
bool "Managed device resources verbose debug messages"
|
|
depends on DEBUG_KERNEL
|
|
help
|
|
This option enables kernel parameter devres.log. If set to
|
|
non-zero, devres debug messages are printed. Select this if
|
|
you are having a problem with devres or want to debug
|
|
resource management for a managed device. devres.log can be
|
|
switched on and off from sysfs node.
|
|
|
|
If you are unsure about this, Say N here.
|
|
|
|
config DEBUG_TEST_DRIVER_REMOVE
|
|
bool "Test driver remove calls during probe (UNSTABLE)"
|
|
depends on DEBUG_KERNEL
|
|
help
|
|
Say Y here if you want the Driver core to test driver remove functions
|
|
by calling probe, remove, probe. This tests the remove path without
|
|
having to unbind the driver or unload the driver module.
|
|
|
|
This option is expected to find errors and may render your system
|
|
unusable. You should say N here unless you are explicitly looking to
|
|
test this functionality.
|
|
|
|
config PM_QOS_KUNIT_TEST
|
|
bool "KUnit Test for PM QoS features" if !KUNIT_ALL_TESTS
|
|
depends on KUNIT=y
|
|
default KUNIT_ALL_TESTS
|
|
|
|
config HMEM_REPORTING
|
|
bool
|
|
default n
|
|
depends on NUMA
|
|
help
|
|
Enable reporting for heterogeneous memory access attributes under
|
|
their non-uniform memory nodes.
|
|
|
|
source "drivers/base/test/Kconfig"
|
|
|
|
config SYS_HYPERVISOR
|
|
bool
|
|
default n
|
|
|
|
config GENERIC_CPU_DEVICES
|
|
bool
|
|
default n
|
|
|
|
config GENERIC_CPU_AUTOPROBE
|
|
bool
|
|
|
|
config GENERIC_CPU_VULNERABILITIES
|
|
bool
|
|
|
|
config SOC_BUS
|
|
bool
|
|
select GLOB
|
|
|
|
source "drivers/base/regmap/Kconfig"
|
|
|
|
config DMA_SHARED_BUFFER
|
|
bool
|
|
default n
|
|
select IRQ_WORK
|
|
help
|
|
This option enables the framework for buffer-sharing between
|
|
multiple drivers. A buffer is associated with a file using driver
|
|
APIs extension; the file's descriptor can then be passed on to other
|
|
driver.
|
|
|
|
config DMA_FENCE_TRACE
|
|
bool "Enable verbose DMA_FENCE_TRACE messages"
|
|
depends on DMA_SHARED_BUFFER
|
|
help
|
|
Enable the DMA_FENCE_TRACE printks. This will add extra
|
|
spam to the console log, but will make it easier to diagnose
|
|
lockup related problems for dma-buffers shared across multiple
|
|
devices.
|
|
|
|
config GENERIC_ARCH_TOPOLOGY
|
|
bool
|
|
help
|
|
Enable support for architectures common topology code: e.g., parsing
|
|
CPU capacity information from DT, usage of such information for
|
|
appropriate scaling, sysfs interface for reading capacity values at
|
|
runtime.
|
|
|
|
config GENERIC_ARCH_NUMA
|
|
bool
|
|
help
|
|
Enable support for generic NUMA implementation. Currently, RISC-V
|
|
and ARM64 use it.
|
|
|
|
endmenu
|