[PATCH 1/4] mm: security: Move hardened usercopy under 'Kernel hardening options'

Thu, 23 Jan 2025 14:12:24 -0800 

There is a submenu for 'Kernel hardening options' under "Security".
Move HARDENED_USERCOPY under the hardening options as it is clearly
related.

Signed-off-by: Mel Gorman <mgor...@techsingularity.net>
Acked-by: Paul Moore <p...@paul-moore.com>
---
 security/Kconfig           | 12 ------------
 security/Kconfig.hardening | 16 ++++++++++++++++
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/security/Kconfig b/security/Kconfig
index 28e685f53bd1..fe7346dc4bc3 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -159,18 +159,6 @@ config LSM_MMAP_MIN_ADDR
          this low address space will need the permission specific to the
          systems running LSM.
 
-config HARDENED_USERCOPY
-       bool "Harden memory copies between kernel and userspace"
-       imply STRICT_DEVMEM
-       help
-         This option checks for obviously wrong memory regions when
-         copying memory to/from the kernel (via copy_to_user() and
-         copy_from_user() functions) by rejecting memory ranges that
-         are larger than the specified heap object, span multiple
-         separately allocated pages, are not on the process stack,
-         or are part of the kernel text. This prevents entire classes
-         of heap overflow exploits and similar kernel memory exposures.
-
 config FORTIFY_SOURCE
        bool "Harden common str/mem functions against buffer overflows"
        depends on ARCH_HAS_FORTIFY_SOURCE
diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index c9d5ca3d8d08..9088d613d519 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -279,6 +279,22 @@ config ZERO_CALL_USED_REGS
 
 endmenu
 
+menu "Bounds checking"
+
+config HARDENED_USERCOPY
+       bool "Harden memory copies between kernel and userspace"
+       imply STRICT_DEVMEM
+       help
+         This option checks for obviously wrong memory regions when
+         copying memory to/from the kernel (via copy_to_user() and
+         copy_from_user() functions) by rejecting memory ranges that
+         are larger than the specified heap object, span multiple
+         separately allocated pages, are not on the process stack,
+         or are part of the kernel text. This prevents entire classes
+         of heap overflow exploits and similar kernel memory exposures.
+
+endmenu
+
 menu "Hardening of kernel data structures"
 
 config LIST_HARDENED
-- 
2.43.0

Reply via email to