self-protection.rst (c25141062a82ae8bddced1b3ce2b57a1c0efabe0) self-protection.rst (227d1a61ed87033285d187214f305c27895176f9)
1======================
2Kernel Self-Protection
3======================
4
5Kernel self-protection is the design and implementation of systems and
6structures within the Linux kernel to protect against security flaws in
7the kernel itself. This covers a wide range of issues, including removing
8entire classes of bugs, blocking security flaw exploitation methods,

--- 256 unchanged lines hidden (view full) ---

265Preventing Information Exposures
266================================
267
268Since the locations of sensitive structures are the primary target for
269attacks, it is important to defend against exposure of both kernel memory
270addresses and kernel memory contents (since they may contain kernel
271addresses or other sensitive things like canary values).
272
1======================
2Kernel Self-Protection
3======================
4
5Kernel self-protection is the design and implementation of systems and
6structures within the Linux kernel to protect against security flaws in
7the kernel itself. This covers a wide range of issues, including removing
8entire classes of bugs, blocking security flaw exploitation methods,

--- 256 unchanged lines hidden (view full) ---

265Preventing Information Exposures
266================================
267
268Since the locations of sensitive structures are the primary target for
269attacks, it is important to defend against exposure of both kernel memory
270addresses and kernel memory contents (since they may contain kernel
271addresses or other sensitive things like canary values).
272
273Kernel addresses
274----------------
275
276Printing kernel addresses to userspace leaks sensitive information about
277the kernel memory layout. Care should be exercised when using any printk
278specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb]
279in certain circumstances [*]). Any file written to using one of these
280specifiers should be readable only by privileged processes.
281
282Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1
283addresses printed with the specifier %p are hashed before printing.
284
285[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is
286printed. If KALLSYMS is not enabled the raw address is printed.
287
273Unique identifiers
274------------------
275
276Kernel memory addresses must never be used as identifiers exposed to
277userspace. Instead, use an atomic counter, an idr, or similar unique
278identifier.
279
280Memory initialization

--- 22 unchanged lines hidden ---
288Unique identifiers
289------------------
290
291Kernel memory addresses must never be used as identifiers exposed to
292userspace. Instead, use an atomic counter, an idr, or similar unique
293identifier.
294
295Memory initialization

--- 22 unchanged lines hidden ---