On Mon, 2013-07-22 at 22:35 +0200, Reindl Harald wrote:
Am 22.07.2013 22:29, schrieb Paul Bolle:
> Are that the checks enabled by CONFIG_DEBUG_STRICT_USER_COPY_CHECKS? If
> so, they don't do anything on x86_64 (which Harald seems to be using),
> do they?
honestly i have no idea
i started to use checksec / hardening-check for make
sure any of my network services are proper hardened
and saw this below and thought no mistake to ask :-)
I missed that you already mentioned checksec in your original message.
But if I had noticed that, it wouldn't have mattered much, because until
very recently I never heard of it. But it turns out it is even included
in Fedora 18!
grep -B 2 -A 5 CONFIG_DEBUG_STRICT_USER_COPY_CHECKS /usr/bin/checksec
printf " Strict user copy checks: "
if $kconfig | grep -qi 'CONFIG_DEBUG_STRICT_USER_COPY_CHECKS=y'; then
printf "\033[32mEnabled\033[m\n"
else
printf "\033[31mDisabled\033[m\n"
fi
So, it appears to be a straightforward grep for
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS.
But it isn't very useful to grep a /boot/config-* file for that macro.
For instance, it turns out that on x86_64 CONFIG_DEBUG_VM is actually
relevant, as it is that macro that enables a _runtime_ warning for
copy_from_user() issues. At least, it did, until it was decided that GCC
4.6+ isn't doing the necessary build time test correctly. Now that
_runtime_ check will never be triggered, won't it? So, even if
CONFIG_DEBUG_STRICT_USER_COPY_CHECKS was set, and checksec would print a
nice, and colorful, "Enabled" for this check, in practice that would
currently tell you nothing.
I haven't looked at the other greps for Kconfig macros in checksec. But,
looking just at this example, we might consider disabling these greps
for checksec in Fedora.
Paul Bolle