Kees Cook 28f0c335dd devtmpfs: mount with noexec and nosuid
devtmpfs is writable. Add the noexec and nosuid as default mount flags
to prevent code execution from /dev. The systems who don't use systemd
and who rely on CONFIG_DEVTMPFS_MOUNT=y are the ones to be protected by
this patch. Other systems are fine with the udev solution.

No sane program should be relying on executing from /dev. So this patch
reduces the attack surface. It doesn't prevent any specific attack, but
it reduces the possibility that someone can use /dev as a place to put
executable code. Chrome OS has been carrying this patch for several
years. It seems trivial and simple solution to improve the protection of
/dev when CONFIG_DEVTMPFS_MOUNT=y.

Original patch:
https://lore.kernel.org/lkml/20121120215059.GA1859@www.outflux.net/

Cc: ellyjones@chromium.org
Cc: Kay Sievers <kay@vrfy.org>
Cc: Roland Eggner <edvx1@systemanalysen.net>
Co-developed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Muhammad Usama Anjum <usama.anjum@collabora.com>
Link: https://lore.kernel.org/r/YcMfDOyrg647RCmd@debian-BULLSEYE-live-builder-AMD64
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-30 13:54:42 +01:00

234 lines
7.4 KiB
Plaintext

# SPDX-License-Identifier: GPL-2.0
menu "Generic Driver Options"
config AUXILIARY_BUS
bool
config UEVENT_HELPER
bool "Support for uevent helper"
help
The uevent helper program is forked by the kernel for
every uevent.
Before the switch to the netlink-based uevent source, this was
used to hook hotplug scripts into kernel device events. It
usually pointed to a shell script at /sbin/hotplug.
This should not be used today, because usual systems create
many events at bootup or device discovery in a very short time
frame. One forked process per event can create so many processes
that it creates a high system load, or on smaller systems
it is known to create out-of-memory situations during bootup.
config UEVENT_HELPER_PATH
string "path to uevent helper"
depends on UEVENT_HELPER
default ""
help
To disable user space helper program execution at by default
specify an empty string here. This setting can still be altered
via /proc/sys/kernel/hotplug or via /sys/kernel/uevent_helper
later at runtime.
config DEVTMPFS
bool "Maintain a devtmpfs filesystem to mount at /dev"
help
This creates a tmpfs/ramfs filesystem instance early at bootup.
In this filesystem, the kernel driver core maintains device
nodes with their default names and permissions for all
registered devices with an assigned major/minor number.
Userspace can modify the filesystem content as needed, add
symlinks, and apply needed permissions.
It provides a fully functional /dev directory, where usually
udev runs on top, managing permissions and adding meaningful
symlinks.
In very limited environments, it may provide a sufficient
functional /dev without any further help. It also allows simple
rescue systems, and reliably handles dynamic major/minor numbers.
Notice: if CONFIG_TMPFS isn't enabled, the simpler ramfs
file system will be used instead.
config DEVTMPFS_MOUNT
bool "Automount devtmpfs at /dev, after the kernel mounted the rootfs"
depends on DEVTMPFS
help
This will instruct the kernel to automatically mount the
devtmpfs filesystem at /dev, directly after the kernel has
mounted the root filesystem. The behavior can be overridden
with the commandline parameter: devtmpfs.mount=0|1.
This option does not affect initramfs based booting, here
the devtmpfs filesystem always needs to be mounted manually
after the rootfs is mounted.
With this option enabled, it allows to bring up a system in
rescue mode with init=/bin/sh, even when the /dev directory
on the rootfs is completely empty.
config DEVTMPFS_SAFE
bool "Use nosuid,noexec mount options on devtmpfs"
depends on DEVTMPFS
help
This instructs the kernel to include the MS_NOEXEC and MS_NOSUID mount
flags when mounting devtmpfs.
Notice: If enabled, things like /dev/mem cannot be mmapped
with the PROT_EXEC flag. This can break, for example, non-KMS
video drivers.
config STANDALONE
bool "Select only drivers that don't need compile-time external firmware"
default y
help
Select this option if you don't have magic firmware for drivers that
need it.
If unsure, say Y.
config PREVENT_FIRMWARE_BUILD
bool "Disable drivers features which enable custom firmware building"
default y
help
Say yes to disable driver features which enable building a custom
driver firmware at kernel build time. These drivers do not use the
kernel firmware API to load firmware (CONFIG_FW_LOADER), instead they
use their own custom loading mechanism. The required firmware is
usually shipped with the driver, building the driver firmware
should only be needed if you have an updated firmware source.
Firmware should not be being built as part of kernel, these days
you should always prevent this and say Y here. There are only two
old drivers which enable building of its firmware at kernel build
time:
o CONFIG_WANXL through CONFIG_WANXL_BUILD_FIRMWARE
o CONFIG_SCSI_AIC79XX through CONFIG_AIC79XX_BUILD_FIRMWARE
source "drivers/base/firmware_loader/Kconfig"
config WANT_DEV_COREDUMP
bool
help
Drivers should "select" this option if they desire to use the
device coredump mechanism.
config ALLOW_DEV_COREDUMP
bool "Allow device coredump" if EXPERT
default y
help
This option controls if the device coredump mechanism is available or
not; if disabled, the mechanism will be omitted even if drivers that
can use it are enabled.
Say 'N' for more sensitive systems or systems that don't want
to ever access the information to not have the code, nor keep any
data.
If unsure, say Y.
config DEV_COREDUMP
bool
default y if WANT_DEV_COREDUMP
depends on ALLOW_DEV_COREDUMP
config DEBUG_DRIVER
bool "Driver Core verbose debug messages"
depends on DEBUG_KERNEL
help
Say Y here if you want the Driver core to produce a bunch of
debug messages to the system log. Select this if you are having a
problem with the driver core and want to see more of what is
going on.
If you are unsure about this, say N here.
config DEBUG_DEVRES
bool "Managed device resources verbose debug messages"
depends on DEBUG_KERNEL
help
This option enables kernel parameter devres.log. If set to
non-zero, devres debug messages are printed. Select this if
you are having a problem with devres or want to debug
resource management for a managed device. devres.log can be
switched on and off from sysfs node.
If you are unsure about this, Say N here.
config DEBUG_TEST_DRIVER_REMOVE
bool "Test driver remove calls during probe (UNSTABLE)"
depends on DEBUG_KERNEL
help
Say Y here if you want the Driver core to test driver remove functions
by calling probe, remove, probe. This tests the remove path without
having to unbind the driver or unload the driver module.
This option is expected to find errors and may render your system
unusable. You should say N here unless you are explicitly looking to
test this functionality.
config PM_QOS_KUNIT_TEST
bool "KUnit Test for PM QoS features" if !KUNIT_ALL_TESTS
depends on KUNIT=y
default KUNIT_ALL_TESTS
config HMEM_REPORTING
bool
default n
depends on NUMA
help
Enable reporting for heterogeneous memory access attributes under
their non-uniform memory nodes.
source "drivers/base/test/Kconfig"
config SYS_HYPERVISOR
bool
default n
config GENERIC_CPU_DEVICES
bool
default n
config GENERIC_CPU_AUTOPROBE
bool
config GENERIC_CPU_VULNERABILITIES
bool
config SOC_BUS
bool
select GLOB
source "drivers/base/regmap/Kconfig"
config DMA_SHARED_BUFFER
bool
default n
select IRQ_WORK
help
This option enables the framework for buffer-sharing between
multiple drivers. A buffer is associated with a file using driver
APIs extension; the file's descriptor can then be passed on to other
driver.
config DMA_FENCE_TRACE
bool "Enable verbose DMA_FENCE_TRACE messages"
depends on DMA_SHARED_BUFFER
help
Enable the DMA_FENCE_TRACE printks. This will add extra
spam to the console log, but will make it easier to diagnose
lockup related problems for dma-buffers shared across multiple
devices.
config GENERIC_ARCH_TOPOLOGY
bool
help
Enable support for architectures common topology code: e.g., parsing
CPU capacity information from DT, usage of such information for
appropriate scaling, sysfs interface for reading capacity values at
runtime.
config GENERIC_ARCH_NUMA
bool
help
Enable support for generic NUMA implementation. Currently, RISC-V
and ARM64 use it.
endmenu