self-protection.rst (c25141062a82ae8bddced1b3ce2b57a1c0efabe0) | self-protection.rst (227d1a61ed87033285d187214f305c27895176f9) |
---|---|
1====================== 2Kernel Self-Protection 3====================== 4 5Kernel self-protection is the design and implementation of systems and 6structures within the Linux kernel to protect against security flaws in 7the kernel itself. This covers a wide range of issues, including removing 8entire classes of bugs, blocking security flaw exploitation methods, --- 256 unchanged lines hidden (view full) --- 265Preventing Information Exposures 266================================ 267 268Since the locations of sensitive structures are the primary target for 269attacks, it is important to defend against exposure of both kernel memory 270addresses and kernel memory contents (since they may contain kernel 271addresses or other sensitive things like canary values). 272 | 1====================== 2Kernel Self-Protection 3====================== 4 5Kernel self-protection is the design and implementation of systems and 6structures within the Linux kernel to protect against security flaws in 7the kernel itself. This covers a wide range of issues, including removing 8entire classes of bugs, blocking security flaw exploitation methods, --- 256 unchanged lines hidden (view full) --- 265Preventing Information Exposures 266================================ 267 268Since the locations of sensitive structures are the primary target for 269attacks, it is important to defend against exposure of both kernel memory 270addresses and kernel memory contents (since they may contain kernel 271addresses or other sensitive things like canary values). 272 |
273Kernel addresses 274---------------- 275 276Printing kernel addresses to userspace leaks sensitive information about 277the kernel memory layout. Care should be exercised when using any printk 278specifier that prints the raw address, currently %px, %p[ad], (and %p[sSb] 279in certain circumstances [*]). Any file written to using one of these 280specifiers should be readable only by privileged processes. 281 282Kernels 4.14 and older printed the raw address using %p. As of 4.15-rc1 283addresses printed with the specifier %p are hashed before printing. 284 285[*] If KALLSYMS is enabled and symbol lookup fails, the raw address is 286printed. If KALLSYMS is not enabled the raw address is printed. 287 |
|
273Unique identifiers 274------------------ 275 276Kernel memory addresses must never be used as identifiers exposed to 277userspace. Instead, use an atomic counter, an idr, or similar unique 278identifier. 279 280Memory initialization --- 22 unchanged lines hidden --- | 288Unique identifiers 289------------------ 290 291Kernel memory addresses must never be used as identifiers exposed to 292userspace. Instead, use an atomic counter, an idr, or similar unique 293identifier. 294 295Memory initialization --- 22 unchanged lines hidden --- |