lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4116b91a-4fb5-414d-5fd5-36be151c600c@redhat.com>
Date:   Wed, 25 Jan 2017 12:25:03 +0100
From:   Laura Abbott <labbott@...hat.com>
To:     Mark Rutland <mark.rutland@....com>
Cc:     Kees Cook <keescook@...omium.org>,
        Jason Wessel <jason.wessel@...driver.com>,
        Jonathan Corbet <corbet@....net>,
        Russell King <linux@...linux.org.uk>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will.deacon@....com>,
        "James E.J. Bottomley" <jejb@...isc-linux.org>,
        Helge Deller <deller@....de>,
        Martin Schwidefsky <schwidefsky@...ibm.com>,
        Heiko Carstens <heiko.carstens@...ibm.com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>,
        "H. Peter Anvin" <hpa@...or.com>, x86@...nel.org,
        Rob Herring <robh@...nel.org>,
        "Rafael J. Wysocki" <rjw@...ysocki.net>,
        Len Brown <len.brown@...el.com>, Pavel Machek <pavel@....cz>,
        Jessica Yu <jeyu@...hat.com>, linux-doc@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
        linux-parisc@...r.kernel.org, linux-s390@...r.kernel.org,
        linux-pm@...r.kernel.org, kernel-hardening@...ts.openwall.com
Subject: Re: [PATCH 1/2] security: Change name of CONFIG_DEBUG_RODATA

On 01/19/2017 11:56 AM, Mark Rutland wrote:
> Hi Laura,
>
> On Wed, Jan 18, 2017 at 05:29:05PM -0800, Laura Abbott wrote:
>>
>> Despite the word 'debug' in CONFIG_DEBUG_RODATA, this kernel option
>> provides key security features that are to be expected on a modern
>> system. Change the name to CONFIG_HARDENED_PAGE_MAPPINGS which more
>> accurately describes what this option is intended to do.
>
> This generally sounds good. Thanks for attacking this!
>
> On the bikeshedding front, *maybe* it would be nice to mention
> permissions in the name, something like STRICT_KERNEL_RWX. That might
> also prevent the reading of 'hardened' as 'optional overhead'.
>
> That said, the proposed name is fine by me -- I'm happy so long as
> 'DEBUG' goes.
>

(Apologies for the delay, my SMTP was set up incorrectly so my
messages didn't actually get sent out)

I like that better since it's describing specifically what the config
should be setting as opposed to something more vague. That might fit
better with what Pavel was suggesting as well.

Thanks,
Laura


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ