| Kconfig (f136e090c73ed2ed568dcd013c8e51ed4693a279) | Kconfig (313dd1b629219db50cad532dba6a3b3b22ffe622) |
|---|---|
| 1# 2# General architecture dependent options 3# 4 5config CRASH_CORE 6 bool 7 8config KEXEC_CORE --- 411 unchanged lines hidden (view full) --- 420 This plugin was ported from grsecurity/PaX. More information at: 421 * https://grsecurity.net/ 422 * https://pax.grsecurity.net/ 423 424config GCC_PLUGIN_STRUCTLEAK 425 bool "Force initialization of variables containing userspace addresses" 426 depends on GCC_PLUGINS 427 help | 1# 2# General architecture dependent options 3# 4 5config CRASH_CORE 6 bool 7 8config KEXEC_CORE --- 411 unchanged lines hidden (view full) --- 420 This plugin was ported from grsecurity/PaX. More information at: 421 * https://grsecurity.net/ 422 * https://pax.grsecurity.net/ 423 424config GCC_PLUGIN_STRUCTLEAK 425 bool "Force initialization of variables containing userspace addresses" 426 depends on GCC_PLUGINS 427 help |
| 428 This plugin zero-initializes any structures containing a | 428 This plugin zero-initializes any structures that containing a |
| 429 __user attribute. This can prevent some classes of information 430 exposures. 431 432 This plugin was ported from grsecurity/PaX. More information at: 433 * https://grsecurity.net/ 434 * https://pax.grsecurity.net/ 435 436config GCC_PLUGIN_STRUCTLEAK_VERBOSE 437 bool "Report forcefully initialized variables" 438 depends on GCC_PLUGIN_STRUCTLEAK 439 depends on !COMPILE_TEST 440 help 441 This option will cause a warning to be printed each time the 442 structleak plugin finds a variable it thinks needs to be 443 initialized. Since not all existing initializers are detected 444 by the plugin, this can produce false positive warnings. 445 | 429 __user attribute. This can prevent some classes of information 430 exposures. 431 432 This plugin was ported from grsecurity/PaX. More information at: 433 * https://grsecurity.net/ 434 * https://pax.grsecurity.net/ 435 436config GCC_PLUGIN_STRUCTLEAK_VERBOSE 437 bool "Report forcefully initialized variables" 438 depends on GCC_PLUGIN_STRUCTLEAK 439 depends on !COMPILE_TEST 440 help 441 This option will cause a warning to be printed each time the 442 structleak plugin finds a variable it thinks needs to be 443 initialized. Since not all existing initializers are detected 444 by the plugin, this can produce false positive warnings. 445 |
| 446config GCC_PLUGIN_RANDSTRUCT 447 bool "Randomize layout of sensitive kernel structures" 448 depends on GCC_PLUGINS 449 select MODVERSIONS if MODULES 450 help 451 If you say Y here, the layouts of structures explicitly 452 marked by __randomize_layout will be randomized at 453 compile-time. This can introduce the requirement of an 454 additional information exposure vulnerability for exploits 455 targeting these structure types. 456 457 Enabling this feature will introduce some performance impact, 458 slightly increase memory usage, and prevent the use of forensic 459 tools like Volatility against the system (unless the kernel 460 source tree isn't cleaned after kernel installation). 461 462 The seed used for compilation is located at 463 scripts/gcc-plgins/randomize_layout_seed.h. It remains after 464 a make clean to allow for external modules to be compiled with 465 the existing seed and will be removed by a make mrproper or 466 make distclean. 467 468 Note that the implementation requires gcc 4.7 or newer. 469 470 This plugin was ported from grsecurity/PaX. More information at: 471 * https://grsecurity.net/ 472 * https://pax.grsecurity.net/ 473 474config GCC_PLUGIN_RANDSTRUCT_PERFORMANCE 475 bool "Use cacheline-aware structure randomization" 476 depends on GCC_PLUGIN_RANDSTRUCT 477 depends on !COMPILE_TEST 478 help 479 If you say Y here, the RANDSTRUCT randomization will make a 480 best effort at restricting randomization to cacheline-sized 481 groups of elements. It will further not randomize bitfields 482 in structures. This reduces the performance hit of RANDSTRUCT 483 at the cost of weakened randomization. 484 |
|
| 446config HAVE_CC_STACKPROTECTOR 447 bool 448 help 449 An arch should select this symbol if: 450 - its compiler supports the -fstack-protector option 451 - it has implemented a stack canary (e.g. __stack_chk_guard) 452 453config CC_STACKPROTECTOR --- 417 unchanged lines hidden --- | 485config HAVE_CC_STACKPROTECTOR 486 bool 487 help 488 An arch should select this symbol if: 489 - its compiler supports the -fstack-protector option 490 - it has implemented a stack canary (e.g. __stack_chk_guard) 491 492config CC_STACKPROTECTOR --- 417 unchanged lines hidden --- |