This is a "v4" of Greg Hackmann's DT bindings for ramoops. This is
what I'm going to land in the pstore tree unless there are strong and
convincing arguments against it. :)
I made a number of changes based people's feedback, and I want to get
it unblocked. This patch is already carried by
On Tue, Jun 14, 2016 at 2:59 PM, Rob Herring <r...@kernel.org> wrote:
> On Fri, Jun 10, 2016 at 03:50:58PM -0700, Kees Cook wrote:
>> This is a "v4" of Greg Hackmann's DT bindings for ramoops. This is
>> what I'm going to land in the pstore tree unless there are str
With the commit "Fix 64-bit code passing control to image kernel", there
is no longer a problem with hibernation resuming a KASLR-booted kernel
image.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Depends on: https://lkml.org/lkml/2016/6/13/442
---
Documentation/kernel-par
On Wed, Jun 22, 2016 at 8:59 AM, Thomas Garnier <thgar...@google.com> wrote:
> On Wed, Jun 22, 2016 at 5:47 AM, Jason Cooper <ja...@lakedaemon.net> wrote:
>> Hey Kees,
>>
>> On Tue, Jun 21, 2016 at 05:46:57PM -0700, Kees Cook wrote:
>>
d list).
Signed-off-by: Thomas Garnier <thgar...@google.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/x86/include/asm/kaslr.h| 1 +
arch/x86/include/asm/pgtable_64_types.h | 4 +++-
arch/x86/mm/kaslr.c | 24 +++-
3
arnier <thgar...@google.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/x86/mm/init_64.c | 162 ++
1 file changed, 96 insertions(+), 66 deletions(-)
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index bce2e5d9
<thgar...@google.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/x86/include/asm/pgtable.h | 12
arch/x86/mm/init.c | 3 +++
arch/x86/realmode/init.c | 5 -
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/arch/x86/inclu
From: Thomas Garnier <thgar...@google.com>
Move the KASLR entropy functions into arch/x86/lib to be used in early
kernel boot for KASLR memory randomization.
Signed-off-by: Thomas Garnier <thgar...@google.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/x86/boot/
the static value
since it is not yet randomized during this boot stage.
Signed-off-by: Thomas Garnier <thgar...@google.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/x86/boot/compressed/pagetable.c | 3 +++
arch/x86/include/asm/kaslr.h | 2 ++
arch/x86/incl
educed especially from boot.
Signed-off-by: Thomas Garnier <thgar...@google.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
arch/x86/include/asm/kaslr.h| 1 +
arch/x86/include/asm/pgtable_64_types.h | 15 +++
arch/x86/mm/kaslr.c | 5
This is v7 of Thomas Garnier's KASLR for memory areas (physical memory
mapping, vmalloc, vmemmap). It expects to be applied on top of the
x86/boot tip.
The current implementation of KASLR randomizes only the base address of
the kernel and its modules. Research was published showing that static
> On Wed, Apr 13, 2016 at 9:12 AM, Kees Cook <keesc...@chromium.org> wrote:
>> On Mon, Jan 11, 2016 at 7:23 AM, Ben Hutchings <b...@decadent.org.uk>
>> wrote:
>>> When kernel.perf_event_open is set to 3 (or greater), disallow all
>>> access
on is at:
> http://www.av8n.com/computer/htm/secure-random.htm#sec-boot-image
Interesting! This might pose a problem for signed images, though.
(Actually, for signed arm kernels is the DT signed too? If so, it
would be a similar problem.)
-Kees
--
Kees Cook
Chrome OS & Brillo Securi
On Thu, Jun 23, 2016 at 12:33 PM, Jason Cooper <ja...@lakedaemon.net> wrote:
> Hey Kees, Thomas,
>
> On Wed, Jun 22, 2016 at 10:05:51AM -0700, Kees Cook wrote:
>> On Wed, Jun 22, 2016 at 8:59 AM, Thomas Garnier <thgar...@google.com> wrote:
>> > On Wed, Jun 2
x v1.22.1 (Debian 1:1.22.0-19) built-in shell (ash)
> Enter 'help' for a list of built-in commands.
>
> (initramfs) cd second
> (initramfs) echo $$ >cgroup.procs
> (initramfs) cat capability.used
> # nothing so far
> (initramfs) chown 1234 /dev/z_*
> (initramf
ty
> +--
> +
> +The goal of this property is to also provide backwards compatibility with
> +existing systems. The bootloaders on these deployed systems typically lack
> +the ability to edit a devicetree or read from an hwrng. The only requirement
> +for a bootloader is t
the whole kernel with
> +the cyclomatic complexity GCC plugin.
> +
> +
> +4. How to add a new GCC plugin
> +==
> +
> +The GCC plugins are in $(src)/tools/gcc/. You can use a file or a directory
> +here. It must be added to $(src)/tools/gcc/Makefile, $(src)/Makefile and
> +$(src)/arch/Kconfig.
> +See the cyc_complexity_plugin.c (CONFIG_GCC_PLUGIN_CYC_COMPLEXITY) GCC
> plugin.
> +
> +
> +5. Example GCC plugin
> +=
> +
> +You can find an example plugin under
> $(src)/Documentation/example_gcc_plugin.c .
> +This plugin has a GIMPLE pass that is inserted after the ssa GCC pass.
> +It prints out all the GIMPLE statements in a translation unit.
-Kees
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
the feature to reduce their attack surface without needing to
rebuild their kernels.
This is inspired by a similar restriction in Grsecurity, but adds
a sysctl.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This is the simplified version of the sysctl.
---
Documentation/sysctl/kernel.tx
On Sun, Feb 21, 2016 at 2:08 PM, Alasdair G Kergon <a...@redhat.com> wrote:
> On Sat, Feb 20, 2016 at 10:13:49AM -0800, Kees Cook wrote:
>> This is a resurrection of a patch series from a few years back, first
>> brought to the dm maintainers in 2010. It creates a way to
On Fri, Feb 26, 2016 at 11:21 AM, Mike Snitzer <snit...@redhat.com> wrote:
> On Fri, Feb 26 2016 at 1:52pm -0500,
> Kees Cook <keesc...@chromium.org> wrote:
>
>> On Fri, Feb 26, 2016 at 8:53 AM, Mike Snitzer <snit...@redhat.com> wrote:
>> > On Mon, Fe
On Fri, Feb 26, 2016 at 8:53 AM, Mike Snitzer <snit...@redhat.com> wrote:
> On Mon, Feb 22 2016 at 1:55pm -0500,
> Kees Cook <keesc...@chromium.org> wrote:
>
>> On Sun, Feb 21, 2016 at 2:08 PM, Alasdair G Kergon <a...@redhat.com> wrote:
>> > On Sat, F
On Fri, Jan 22, 2016 at 7:02 PM, Eric W. Biederman
<ebied...@xmission.com> wrote:
> Kees Cook <keesc...@chromium.org> writes:
>
>> There continues to be unexpected side-effects and security exposures
>> via CLONE_NEWUSER. For many end-users running distro kernels
On Fri, Jan 22, 2016 at 4:59 PM, Ben Hutchings <b...@decadent.org.uk> wrote:
> On Fri, 2016-01-22 at 15:00 -0800, Kees Cook wrote:
>> On Fri, Jan 22, 2016 at 2:55 PM, Robert Święcki <rob...@swiecki.net> wrote:
>> > 2016-01-22 23:50 GMT+01:00 Kees Cook <keesc...@c
a name or uuid.
The function added in this change performs the required association to
transition to being managed by the ioctl interface.
Signed-off-by: Will Drewry <w...@chromium.org>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
v5: resurrection
v4: https://patchwork.kerne
For init to build a mapped_device, it must hold the appropriate locks,
so move these to the common header.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
v5: first version of this specific patch in the series
---
drivers/md/dm.h | 2 --
include/linux/device-mapper
This is a resurrection of a patch series from a few years back, first
brought to the dm maintainers in 2010. It creates a way to define dm
devices on the kernel command line for systems that do not use an
initramfs, or otherwise need a dm running before init starts.
This has been used by Chrome
On Wed, Apr 6, 2016 at 3:04 PM, Rafael J. Wysocki <raf...@kernel.org> wrote:
> On Wed, Apr 6, 2016 at 11:56 PM, Ingo Molnar <mi...@kernel.org> wrote:
>>
>> * Rafael J. Wysocki <raf...@kernel.org> wrote:
>>
>>> On Wed, Apr 6, 2016 at 9:44 PM, Kee
nel image
> perspective).
>
> But if the kernel address space is randomized, set_up_temporary_mappings()
> really should duplicate the existing layout instead of creating a new one from
> scratch. Otherwise, virtual addresses before set_up_temporary_mappings() may
> be different from the
Provide an escaped (but readable: no inter-argument NULLs) commandline
safe for logging.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/string_helpers.h | 1 +
lib/string_helpers.c | 34 ++
2 files changed, 35 insertions(+)
Handle allocating and escaping a string safe for logging.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/string_helpers.h | 2 ++
lib/string_helpers.c | 28
2 files changed, 30 insertions(+)
diff --git a/include/linux/string_hel
module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/security/LoadPin.txt | 17
MAINTAINERS| 6 ++
include/linux/lsm_hooks.h | 5 +
security/K
Allocate a NULL-terminated file path with special characters escaped,
safe for logging.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/string_helpers.h | 3 +++
lib/string_helpers.c | 30 ++
2 files changed, 33 insertions(+)
diff
Providing human-readable (and audit-parsable) strings for the READING_*
enums is needed by some LSMs.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
fs/exec.c | 19 +++
include/linux/fs.h | 1 +
2 files changed, 20 insertions(+)
diff --git a/fs/exec.c b/fs/
On Mon, Apr 11, 2016 at 11:21 AM, Geert Uytterhoeven
<ge...@linux-m68k.org> wrote:
> On Mon, Apr 11, 2016 at 8:03 PM, Kees Cook <keesc...@chromium.org> wrote:
>> On Mon, Apr 11, 2016 at 1:00 AM, James Morse <james.mo...@arm.com> wrote:
>>> On 06/04/16 20:44,
On Mon, Apr 11, 2016 at 1:00 AM, James Morse <james.mo...@arm.com> wrote:
> Hi Kees,
>
> On 06/04/16 20:44, Kees Cook wrote:
>> When building with both CONFIG_HIBERNATION and CONFIG_RANDOMIZE_BASE,
>> one or the other must be chosen at boot-time. Until now, hiber
On Thu, Apr 21, 2016 at 6:26 AM, Andy Shevchenko
<andriy.shevche...@linux.intel.com> wrote:
> On Wed, 2016-04-20 at 15:46 -0700, Kees Cook wrote:
>> From: Mimi Zohar <zo...@linux.vnet.ibm.com>
>>
>> A string representation of the kernel_read_file_id enumeration is
kernel_read_file_id id)
Reported-by: Andy Shevchenko <andriy.shevche...@linux.intel.com>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This is for linux-security next
---
include/linux/fs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/fs
This fixes several spelling mistakes in the Documentation/ tree, which
are caught by checkpatch.pl's spell checking.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/ABI/obsolete/sysfs-driver-hid-roccat-savu | 11 ++-
.../ABI/testing/sysfs-bus-event_source-d
On Tue, Apr 26, 2016 at 4:34 PM, Randy Dunlap <rdun...@infradead.org> wrote:
> On 04/26/16 16:28, Kees Cook wrote:
>> This fixes several spelling mistakes in the Documentation/ tree, which
>> are caught by checkpatch.pl's spell checking.
>>
>> Signed-off-by:
This fixes several spelling mistakes in the Documentation/ tree, which
are caught by checkpatch.pl's spell checking.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/ABI/obsolete/sysfs-driver-hid-roccat-savu | 4 ++--
Documentation/ABI/testing/sysfs-bus-event_
On Tue, Apr 26, 2016 at 9:06 PM, Zhao Lei <zhao...@cn.fujitsu.com> wrote:
> Hi, Kees Cook
>
> * From: Kees Cook [mailto:keesc...@chromium.org]
>> Sent: Wednesday, April 27, 2016 7:48 AM
>> To: Andrew Morton <a...@linux-foundation.org>
>> Cc: Randy Dunlap
s[0].base != _offset_base);
> - mem_tb = ((max_pfn << PAGE_SHIFT) >> TB_SHIFT);
> + mem_tb = ((max_pfn << PAGE_SHIFT) >> TB_SHIFT) + page_offset_padding;
In fact, can't this variable be entirely dropped and the mem_tb
calculation could just refer to RANDOMIZE_MEMO
> options and randomizes the base and space between each. The size of the
> physical memory mapping is the available physical memory. No performance
> impact was detected while testing the feature.
>
> Entropy is generated using the KASLR early boot functions now shared in
> the
gt; + if (has_cpuflag(X86_FEATURE_RDRAND)) {
> + debug_putstr(" RDRAND");
> + if (rdrand_long()) {
> + random ^= raw;
> + use_i8254 = false;
> + }
> + }
> +
> + if (has_cpuflag(X86_FEATURE_TSC)) {
> + debug_putstr(" RDTSC");
> + raw = rdtsc();
> +
> + random ^= raw;
> + use_i8254 = false;
> + }
> +
> + if (use_i8254) {
> + debug_putstr(" i8254");
> + random ^= i8254();
> + }
> +
> + /* Circular multiply for better bit diffusion */
> + asm("mul %3"
> + : "=a" (random), "=d" (raw)
> + : "a" (random), "rm" (mix_const));
> + random += raw;
> +
> + debug_putstr("...\n");
> +
> + return random;
> +}
> --
> 2.8.0.rc3.226.g39d4020
>
-Kees
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Average Optimal load -j 12 Run (std deviation):
>> Elapsed Time 102.489 (1.10636)
>> User Time 1034.86 (1.36053)
>> System Time 87.764 (0.49345)
>> Percent CPU 1095 (12.7715)
>> Context Switches 199036 (4298.1)
>> Sleeps 97681.6 (1031.11)
>>
>> Hackbench shows 0% difference on average (hackbench 90
>> repeated 10 times):
>>
>> attemp,before,after
>> 1,0.076,0.069
>> 2,0.072,0.069
>> 3,0.066,0.066
>> 4,0.066,0.068
>> 5,0.066,0.067
>> 6,0.066,0.069
>> 7,0.067,0.066
>> 8,0.063,0.067
>> 9,0.067,0.065
>> 10,0.068,0.071
>> average,0.0677,0.0677
>>
>> Thanks!
>>
--
Kees Cook
Chrome OS & Brillo Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, May 17, 2016 at 4:15 AM, Kees Cook <keesc...@chromium.org> wrote:
> I'm travelling this week, but I'll try to spend some time on it.
>
> -Kees
>
> On Mon, May 16, 2016 at 11:25 AM, Thomas Garnier <thgar...@google.com> wrote:
>> Any feedback on the patch? In
199036 (4298.1)
> Sleeps 97681.6 (1031.11)
>
> Hackbench shows 0% difference on average (hackbench 90
> repeated 10 times):
>
> attemp,before,after
> 1,0.076,0.069
> 2,0.072,0.069
> 3,0.066,0.066
> 4,0.066,0.068
> 5,0.066,0.067
> 6,0.066,0.069
> 7,0.067,0.066
On Tue, May 17, 2016 at 6:26 PM, Jonathan Corbet <cor...@lwn.net> wrote:
> On Mon, 16 May 2016 19:27:28 -0700
> Kees Cook <keesc...@chromium.org> wrote:
>
>> This document attempts to codify the intent around kernel self-protection
>> along with discussion of both
This document attempts to codify the intent around kernel self-protection
along with discussion of both existing and desired technologies, with
attention given to the rationale behind them, and the expectations of
their usage.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documen
). Additionally
adds a section on structure randomization.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/security/self-protection.txt | 28 ++--
1 file changed, 18 insertions(+), 10 deletions(-)
diff --git a/Documentation/security/self-protectio
A common misspelling of "interruptible" is "interruptable". This fixes
them in the tree and adds the two most common variations to spelling.txt.
Suggested-by: Randy Dunlap <rdun...@infradead.org>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentat
> Add a new status line ("Umask") in /proc//status. It contains
> the file mode creation mask (umask) in octal. It is only shown for
> tasks which have task->fs.
>
> This patch is adapted from one originally written by Pierre Carrier.
>
> Signed-off-by: Richard
On Thu, Apr 14, 2016 at 1:34 PM, Pavel Machek <pa...@denx.de> wrote:
> On Thu 2016-04-14 13:14:07, Kees Cook wrote:
>> On Thu, Apr 14, 2016 at 1:01 PM, Pavel Machek <pa...@denx.de> wrote:
>> > Hi!
>> >
>> >> Since kASLR and Hibernation can not cur
d users want to be able to select
>> kASLR on x86 by default at build time, create CONFIG_RANDOMIZE_BASE_ON
>> that is present only on x86.
>>
>> Signed-off-by: Kees Cook <keesc...@chromium.org>
>
> I believe this is bad idea. arm64 shows that kaslr and hibernatio
Handle allocating and escaping a string safe for logging.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/string_helpers.h | 2 ++
lib/string_helpers.c | 28
2 files changed, 30 insertions(+)
diff --git a/include/linux/string_hel
Use a common error reporting function for Yama violation reports, and give
more detail into the process command lines.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
security/yama/yama_lsm.c | 31 +--
1 file changed, 21 insertions(+), 10 deletions(-)
diff
al of my old version, constified pointer values]
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/fs.h | 31 +--
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 70e61b58baaf..5
module and firmware loading restrictions without
needing to sign the files individually.
Signed-off-by: Kees Cook <keesc...@chromium.org>
Acked-by: Serge Hallyn <serge.hal...@canonical.com>
---
Documentation/security/LoadPin.txt | 17
MAINTAINERS| 6 ++
i
Provide an escaped (but readable: no inter-argument NULLs) commandline
safe for logging.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/string_helpers.h | 1 +
lib/string_helpers.c | 34 ++
2 files changed, 35 insertions(+)
Allocate a NULL-terminated file path with special characters escaped,
safe for logging.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
include/linux/string_helpers.h | 3 +++
lib/string_helpers.c | 30 ++
2 files changed, 33 insertions(+)
diff
This provides the mini-LSM "loadpin" that intercepts the now consolidated
kernel_file_read LSM hook so that a system can keep all loads coming from
a single trusted filesystem. This is what Chrome OS uses to pin kernel
module and firmware loading to the read-only crypto-verified dm-verity
source.com/#/c/234400/
> [2] Original patch by Ben Hutchings:
> https://lkml.org/lkml/2016/1/11/587
> [3] https://android-review.googlesource.com/#/c/234743/
>
> Signed-off-by: Jeff Vander Stoep <je...@google.com>
Thanks for splitting this up! It'll be nice to have th
>> + changed.
>
> NAK.
>
> Apart from the fact that I hate the 3 thing this is not how you do
> default CONFIG knobs for !bool state variables.
>
> Use an "int" config not a "bool" config and allow all options to be
> default.
How about leavi
users.
That's not my goal: legitimate users should have access. That's up to
system owners. But I'd like to provide ways for system owners to keep
illegitimate users from having access. :)
> Kees Cook <keesc...@chromium.org> writes:
>
>> On Tue, Aug 2, 2016 at 1:30 PM, Peter
ovide additional unpredictability on otherwise
low-entropy systems.
Based on work created by the PaX Team.
Signed-off-by: Emese Revfy <re.em...@gmail.com>
[kees: renamed parameter, dropped relationship with plugin, updated log]
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
This p
On Tue, Jun 21, 2016 at 8:46 PM, Kees Cook <keesc...@chromium.org> wrote:
> This is v7 of Thomas Garnier's KASLR for memory areas (physical memory
> mapping, vmalloc, vmemmap). It expects to be applied on top of the
> x86/boot tip.
>
> The current implementation of KASLR ran
On Tue, Aug 2, 2016 at 1:30 PM, Peter Zijlstra <pet...@infradead.org> wrote:
> On Tue, Aug 02, 2016 at 12:04:34PM -0700, Kees Cook wrote:
>
>> Now, obviously, these API have huge value, otherwise they wouldn't
>> exist in the first place, and they wouldn't be built
On Fri, Feb 3, 2017 at 12:29 PM, Russell King - ARM Linux
<li...@armlinux.org.uk> wrote:
> On Fri, Feb 03, 2017 at 11:45:56AM -0800, Kees Cook wrote:
>> On Fri, Feb 3, 2017 at 9:52 AM, Laura Abbott <labb...@redhat.com> wrote:
>> > diff --git a/arch/Kconfig b/a
ce.
>
> +config ARCH_NO_STRICT_RWX_DEFAULTS
> + def_bool n
> +
> +config ARCH_HAS_STRICT_KERNEL_RWX
> + def_bool n
> +
> +config DEBUG_RODATA
> + def_bool y if !ARCH_NO_STRICT_RWX_DEFAULTS
> + prompt "Make kernel text and rodata read-only"
> CONFIG_AEABI=y
> CONFIG_UACCESS_WITH_MEMCPY=y
> CONFIG_SECCOMP=y
Are these defconfig cases correct (dropping DEBUG_RODATA without
adding STRICT_KERNEL_RWX)?
Who should carry this series, btw?
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line &quo
On Fri, Feb 3, 2017 at 2:28 PM, Russell King - ARM Linux
<li...@armlinux.org.uk> wrote:
> On Fri, Feb 03, 2017 at 01:08:40PM -0800, Kees Cook wrote:
>> On Fri, Feb 3, 2017 at 12:29 PM, Russell King - ARM Linux
>> <li...@armlinux.org.uk> wrote:
>> > On Fri, Fe
2 +-
> kernel/power/power.h | 4 ++--
> kernel/power/snapshot.c| 4 ++--
> 33 files changed, 90 insertions(+), 109 deletions(-)
>
> --
> 2.7.4
>
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
the tracer can give the same information, this patch entirely
removes CONFIG_TIMER_STATS.
Suggested-by: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/timers/timer_stats.txt | 73 --
include/linux/hrtimer.h
the tracer can give the same information, this patch entirely
removes CONFIG_TIMER_STATS.
Suggested-by: Thomas Gleixner <t...@linutronix.de>
Signed-off-by: Kees Cook <keesc...@chromium.org>
Acked-by: John Stultz <john.stu...@linaro.org>
---
v2:
- dropped doc comments for removed
On Mon, Feb 6, 2017 at 10:49 AM, Laura Abbott <labb...@redhat.com> wrote:
> On 02/03/2017 12:03 PM, Kees Cook wrote:
>> On Fri, Feb 3, 2017 at 9:52 AM, Laura Abbott <labb...@redhat.com> wrote:
>>>
>>> Both of these options are poorly named. The features th
how technical it gets. And I think the performance
impact is almost entirely negligible compared to the risks addressed.
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
the
variables can all be const.
Inspired by similar changes in grsecurity/PaX.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/cdrom/cdrom-standard.tex | 9 +-
drivers/block/paride/pcd.c | 2 +-
drivers/cdrom/cdrom.c
his mandatory on all
> architectures with support.
Oh, I totally missed this. Yes, we need it to stay mandatory. It
should be possible by just adding "select HARDENED_PAGE_MAPPINGS" to
the arch Kconfig, yes?
> It would be good to see if we could make this mandatory for arm and
> parisc,
aybe arch/Kconfig? (Arguably, HARDENED_USERCOPY
shouldn't be in security/Kconfig either, since security/Kconfig is
mostly LSM or userspace-facing stuff? I dunno.)
As for the bikeshed on the naming, I like "KERNEL_RWX", and it likely
doesn't need "STRICT", IMO. CONFIG_KERNEL_RWX ? I
> security: Change name of CONFIG_DEBUG_RODATA
> security: Change name of CONFIG_DEBUG_SET_MODULE_RONX
Some day I'll quit reading my email backwards. :) I see you've got
MODULE_RONX renamed too here, please ignore my comment about needing
it "too". :)
-Kees
--
Kees Cook
Nexus Security
--
To
On Mon, Sep 5, 2016 at 1:14 PM, <robert.f...@collabora.com> wrote:
> From: Robert Foss <robert.f...@collabora.com>
>
> Fixed a -> an typo.
>
> Signed-off-by: Robert Foss <robert.f...@collabora.com>
Acked-by: Kees Cook <keesc...@chromium.org>
This cou
amples and removes
> CONFIG_BUILD_DOCSRC.
>
> The second one updates 00-INDEX files under Documentation to reflect the
> move of runnable code from Documentation.
Looks good to me!
Reviewed-by: Kees Cook <keesc...@chromium.org>
-Kees
--
Kees Cook
Nexus Security
--
To unsubscribe from t
On Thu, Oct 6, 2016 at 2:19 PM, Joe Perches <j...@perches.com> wrote:
> On Thu, 2016-10-06 at 14:00 -0700, Kees Cook wrote:
>
>> And based on my read of this thread, we all appear to be in violent
>> agreement. :) "always protect %p" is absolutely the goal, and
thors be aware of an opt-in security feature. The kernel
should protect itself (and all of itself, including out-of-tree or
future code) by default.
And based on my read of this thread, we all appear to be in violent
agreement. :) "always protect %p" is absolutely the goal, and we
ercopy_object()? The hardened usercopy part of the slab
whitelisting can be separate, since it likely needs a different
usercopy interface to sanely integrate with upstream.
-Kees
--
Kees Cook
Nexus Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the bo
re scoped restriction (e.g. using
> capabilities or some other access control mechanism), but no-one had the
> time to work on that.
>
> Does that match everyone's understanding, or am I mistaken?
That's correct: some kind of finer-grain control would be preferred to
the maintainer,
Similar to being able to examine if a process has been correctly confined
with seccomp, the state of no_new_privs is equally interesting, so this
adds it to /proc/$pid/status.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
Documentation/filesystems/proc.txt | 2 ++
fs/proc/a
On Thu, Dec 8, 2016 at 1:10 PM, Luis R. Rodriguez <mcg...@kernel.org> wrote:
> On Thu, Dec 8, 2016 at 2:30 PM, Kees Cook <keesc...@chromium.org> wrote:
>> On Thu, Dec 8, 2016 at 11:48 AM, Luis R. Rodriguez <mcg...@kernel.org> wrote:
>>> While looking for earl
g the internals of the
> + * process tables to get the command line, proc_pid_cmdline is static
> + * and it is not worth changing the proc code just to handle this case.
> + *
> + * "trace the ppid" is simple, but will fail if someone's
> + * parent exits. I think this is as good as it gets.
&g
dec(_concurrent);
> - return -ENOMEM;
> + return ret;
> }
>
> trace_module_request(module_name, wait, _RET_IP_);
>
> ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC :
> UMH_WAIT_EXEC);
>
> - atomic_dec(_concurrent);
>
On Thu, Jun 9, 2016 at 12:29 PM, Jonathan Corbet <cor...@lwn.net> wrote:
> On Wed, 18 May 2016 06:55:45 -0700
> Kees Cook <keesc...@chromium.org> wrote:
>
>> A common misspelling of "interruptible" is "interruptable". This fixes
>> the
On Thu, Jun 9, 2016 at 1:11 PM, Joe Perches <j...@perches.com> wrote:
> On Thu, 2016-06-09 at 13:29 -0600, Jonathan Corbet wrote:
>> On Wed, 18 May 2016 06:55:45 -0700 Kees Cook <keesc...@chromium.org> wrote:
>> > A common misspelling of "interruptible"
ibernation (with a warning). Booting with "nokaslr" will disable KASLR
and enable hibernation.
Reported-by: Evgenii Shatokhin <eugene.shatok...@yandex.ru>
Signed-off-by: Kees Cook <keesc...@chromium.org>
Cc: sta...@vger.kernel.org # v4.8+
---
Documentation/admin-guide/kernel
On Sat, Mar 25, 2017 at 7:54 AM, Evgenii Shatokhin
<eugene.shatok...@yandex.ru> wrote:
> On 23.03.2017 18:30, Rafael J. Wysocki wrote:
>>
>> On Thu, Mar 23, 2017 at 2:23 PM, Evgenii Shatokhin
>> <eugene.shatok...@yandex.ru> wrote:
>>>
or mine?
If you have other changes queued for v4.11, please take it via your
tree. Otherwise, perhaps the docs tree or mine? (I don't currently
have any fixes queued; I'm just trying to minimize pull requests going
to Linus...)
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send
584 insertions(+), 8 deletions(-)
> create mode 100644 Documentation/device-mapper/boot.txt
> create mode 100644 init/do_mounts_dm.c
>
> --
> 2.9.3
>
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Mar 7, 2017 at 8:22 AM, Namhyung Kim <namhy...@gmail.com> wrote:
> On Tue, Mar 7, 2017 at 6:55 AM, Kees Cook <keesc...@chromium.org> wrote:
>> The read/mkfile pair pass the same arguments and should be cleared
>> between calls. Move to a structure and wipe it aft
-by: Kees Cook <keesc...@chromium.org>
Acked-by: Willy Tarreau <w...@1wt.eu>
---
Related question: shouldn't security-bugs.rst and submitting-patches.rst live
in /process/ rather than /admin-guide/ ?
---
Documentation/admin-guide/security-bugs.rst | 39 +
1 file
This removes the argument list for the erase() callback and replaces it
with a pointer to the backend record details to be removed.
Signed-off-by: Kees Cook <keesc...@chromium.org>
---
drivers/acpi/apei/erst.c | 8 +++-
drivers/firmware/efi/efi-pstore.
For a long time I've been bothered by the complexity of argument passing
in the pstore internals, which makes understanding things and changing
things extremely fragile.
With the proposal of a new backend (EPI capsules), and my attempts to
reorganize things for the proposed multiple-pmsg
1 - 100 of 199 matches
Mail list logo