~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/Kconfig.hardening

Version: ~ [ linux-6.12-rc7 ] ~ [ linux-6.11.7 ] ~ [ linux-6.10.14 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.60 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.116 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.171 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.229 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.285 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.323 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.12 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

Diff markup

Differences between /security/Kconfig.hardening (Version linux-6.12-rc7) and /security/Kconfig.hardening (Version linux-5.6.19)


  1 # SPDX-License-Identifier: GPL-2.0-only             1 # SPDX-License-Identifier: GPL-2.0-only
  2 menu "Kernel hardening options"                     2 menu "Kernel hardening options"
  3                                                     3 
  4 config GCC_PLUGIN_STRUCTLEAK                        4 config GCC_PLUGIN_STRUCTLEAK
  5         bool                                        5         bool
  6         help                                        6         help
  7           While the kernel is built with warni      7           While the kernel is built with warnings enabled for any missed
  8           stack variable initializations, this      8           stack variable initializations, this warning is silenced for
  9           anything passed by reference to anot      9           anything passed by reference to another function, under the
 10           occasionally misguided assumption th     10           occasionally misguided assumption that the function will do
 11           the initialization. As this regularl     11           the initialization. As this regularly leads to exploitable
 12           flaws, this plugin is available to i     12           flaws, this plugin is available to identify and zero-initialize
 13           such variables, depending on the cho     13           such variables, depending on the chosen level of coverage.
 14                                                    14 
 15           This plugin was originally ported fr     15           This plugin was originally ported from grsecurity/PaX. More
 16           information at:                          16           information at:
 17            * https://grsecurity.net/               17            * https://grsecurity.net/
 18            * https://pax.grsecurity.net/           18            * https://pax.grsecurity.net/
 19                                                    19 
 20 menu "Memory initialization"                       20 menu "Memory initialization"
 21                                                    21 
 22 config CC_HAS_AUTO_VAR_INIT_PATTERN            !!  22 config CC_HAS_AUTO_VAR_INIT
 23         def_bool $(cc-option,-ftrivial-auto-va     23         def_bool $(cc-option,-ftrivial-auto-var-init=pattern)
 24                                                    24 
 25 config CC_HAS_AUTO_VAR_INIT_ZERO_BARE          << 
 26         def_bool $(cc-option,-ftrivial-auto-va << 
 27                                                << 
 28 config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER       << 
 29         # Clang 16 and later warn about using  << 
 30         # is required before then.             << 
 31         def_bool $(cc-option,-ftrivial-auto-va << 
 32         depends on !CC_HAS_AUTO_VAR_INIT_ZERO_ << 
 33                                                << 
 34 config CC_HAS_AUTO_VAR_INIT_ZERO               << 
 35         def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BAR << 
 36                                                << 
 37 choice                                             25 choice
 38         prompt "Initialize kernel stack variab     26         prompt "Initialize kernel stack variables at function entry"
 39         default GCC_PLUGIN_STRUCTLEAK_BYREF_AL     27         default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS
 40         default INIT_STACK_ALL_PATTERN if COMP !!  28         default INIT_STACK_ALL if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT
 41         default INIT_STACK_ALL_ZERO if CC_HAS_ << 
 42         default INIT_STACK_NONE                    29         default INIT_STACK_NONE
 43         help                                       30         help
 44           This option enables initialization o     31           This option enables initialization of stack variables at
 45           function entry time. This has the po     32           function entry time. This has the possibility to have the
 46           greatest coverage (since all functio     33           greatest coverage (since all functions can have their
 47           variables initialized), but the perf     34           variables initialized), but the performance impact depends
 48           on the function calling complexity o     35           on the function calling complexity of a given workload's
 49           syscalls.                                36           syscalls.
 50                                                    37 
 51           This chooses the level of coverage o     38           This chooses the level of coverage over classes of potentially
 52           uninitialized variables. The selecte !!  39           uninitialized variables. The selected class will be
 53           initialized before use in a function     40           initialized before use in a function.
 54                                                    41 
 55         config INIT_STACK_NONE                     42         config INIT_STACK_NONE
 56                 bool "no automatic stack varia !!  43                 bool "no automatic initialization (weakest)"
 57                 help                               44                 help
 58                   Disable automatic stack vari     45                   Disable automatic stack variable initialization.
 59                   This leaves the kernel vulne     46                   This leaves the kernel vulnerable to the standard
 60                   classes of uninitialized sta     47                   classes of uninitialized stack variable exploits
 61                   and information exposures.       48                   and information exposures.
 62                                                    49 
 63         config GCC_PLUGIN_STRUCTLEAK_USER          50         config GCC_PLUGIN_STRUCTLEAK_USER
 64                 bool "zero-init structs marked     51                 bool "zero-init structs marked for userspace (weak)"
 65                 # Plugin can be removed once t !!  52                 depends on GCC_PLUGINS
 66                 depends on GCC_PLUGINS && !CC_ << 
 67                 select GCC_PLUGIN_STRUCTLEAK       53                 select GCC_PLUGIN_STRUCTLEAK
 68                 help                               54                 help
 69                   Zero-initialize any structur     55                   Zero-initialize any structures on the stack containing
 70                   a __user attribute. This can     56                   a __user attribute. This can prevent some classes of
 71                   uninitialized stack variable     57                   uninitialized stack variable exploits and information
 72                   exposures, like CVE-2013-214     58                   exposures, like CVE-2013-2141:
 73                   https://git.kernel.org/linus     59                   https://git.kernel.org/linus/b9e146d8eb3b9eca
 74                                                    60 
 75         config GCC_PLUGIN_STRUCTLEAK_BYREF         61         config GCC_PLUGIN_STRUCTLEAK_BYREF
 76                 bool "zero-init structs passed     62                 bool "zero-init structs passed by reference (strong)"
 77                 # Plugin can be removed once t !!  63                 depends on GCC_PLUGINS
 78                 depends on GCC_PLUGINS && !CC_ !!  64                 depends on !(KASAN && KASAN_STACK=1)
 79                 depends on !(KASAN && KASAN_ST << 
 80                 select GCC_PLUGIN_STRUCTLEAK       65                 select GCC_PLUGIN_STRUCTLEAK
 81                 help                               66                 help
 82                   Zero-initialize any structur     67                   Zero-initialize any structures on the stack that may
 83                   be passed by reference and h     68                   be passed by reference and had not already been
 84                   explicitly initialized. This     69                   explicitly initialized. This can prevent most classes
 85                   of uninitialized stack varia     70                   of uninitialized stack variable exploits and information
 86                   exposures, like CVE-2017-100     71                   exposures, like CVE-2017-1000410:
 87                   https://git.kernel.org/linus     72                   https://git.kernel.org/linus/06e7e776ca4d3654
 88                                                    73 
 89                   As a side-effect, this keeps     74                   As a side-effect, this keeps a lot of variables on the
 90                   stack that can otherwise be      75                   stack that can otherwise be optimized out, so combining
 91                   this with CONFIG_KASAN_STACK     76                   this with CONFIG_KASAN_STACK can lead to a stack overflow
 92                   and is disallowed.               77                   and is disallowed.
 93                                                    78 
 94         config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL     79         config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL
 95                 bool "zero-init everything pas !!  80                 bool "zero-init anything passed by reference (very strong)"
 96                 # Plugin can be removed once t !!  81                 depends on GCC_PLUGINS
 97                 depends on GCC_PLUGINS && !CC_ !!  82                 depends on !(KASAN && KASAN_STACK=1)
 98                 depends on !(KASAN && KASAN_ST << 
 99                 select GCC_PLUGIN_STRUCTLEAK       83                 select GCC_PLUGIN_STRUCTLEAK
100                 help                               84                 help
101                   Zero-initialize any stack va     85                   Zero-initialize any stack variables that may be passed
102                   by reference and had not alr     86                   by reference and had not already been explicitly
103                   initialized. This is intende     87                   initialized. This is intended to eliminate all classes
104                   of uninitialized stack varia     88                   of uninitialized stack variable exploits and information
105                   exposures.                       89                   exposures.
106                                                    90 
107                   As a side-effect, this keeps !!  91         config INIT_STACK_ALL
108                   stack that can otherwise be  !!  92                 bool "0xAA-init everything on the stack (strongest)"
109                   this with CONFIG_KASAN_STACK !!  93                 depends on CC_HAS_AUTO_VAR_INIT
110                   and is disallowed.           << 
111                                                << 
112         config INIT_STACK_ALL_PATTERN          << 
113                 bool "pattern-init everything  << 
114                 depends on CC_HAS_AUTO_VAR_INI << 
115                 depends on !KMSAN              << 
116                 help                           << 
117                   Initializes everything on th << 
118                   with a specific debug value. << 
119                   all classes of uninitialized << 
120                   information exposures, even  << 
121                   having been left uninitializ << 
122                                                << 
123                   Pattern initialization is kn << 
124                   related to uninitialized loc << 
125                   non-NULL values, buffer size << 
126                   pattern is situation-specifi << 
127                   repeating for all types and  << 
128                   which use 0xFF repeating (-N << 
129                   repeating for all types and  << 
130                                                << 
131         config INIT_STACK_ALL_ZERO             << 
132                 bool "zero-init everything (st << 
133                 depends on CC_HAS_AUTO_VAR_INI << 
134                 depends on !KMSAN              << 
135                 help                               94                 help
136                   Initializes everything on th !!  95                   Initializes everything on the stack with a 0xAA
137                   with a zero value. This is i !!  96                   pattern. This is intended to eliminate all classes
138                   classes of uninitialized sta !!  97                   of uninitialized stack variable exploits and information
139                   information exposures, even  !!  98                   exposures, even variables that were warned to have been
140                   about having been left unini !!  99                   left uninitialized.
141                                                << 
142                   Zero initialization provides << 
143                   (immediately NUL-terminated) << 
144                   (index 0), and sizes (0 leng << 
145                   suitable as a production sec << 
146                   initialization.              << 
147                                                   100 
148 endchoice                                         101 endchoice
149                                                   102 
150 config GCC_PLUGIN_STRUCTLEAK_VERBOSE              103 config GCC_PLUGIN_STRUCTLEAK_VERBOSE
151         bool "Report forcefully initialized va    104         bool "Report forcefully initialized variables"
152         depends on GCC_PLUGIN_STRUCTLEAK          105         depends on GCC_PLUGIN_STRUCTLEAK
153         depends on !COMPILE_TEST        # too     106         depends on !COMPILE_TEST        # too noisy
154         help                                      107         help
155           This option will cause a warning to     108           This option will cause a warning to be printed each time the
156           structleak plugin finds a variable i    109           structleak plugin finds a variable it thinks needs to be
157           initialized. Since not all existing     110           initialized. Since not all existing initializers are detected
158           by the plugin, this can produce fals    111           by the plugin, this can produce false positive warnings.
159                                                   112 
160 config GCC_PLUGIN_STACKLEAK                       113 config GCC_PLUGIN_STACKLEAK
161         bool "Poison kernel stack before retur    114         bool "Poison kernel stack before returning from syscalls"
162         depends on GCC_PLUGINS                    115         depends on GCC_PLUGINS
163         depends on HAVE_ARCH_STACKLEAK            116         depends on HAVE_ARCH_STACKLEAK
164         help                                      117         help
165           This option makes the kernel erase t    118           This option makes the kernel erase the kernel stack before
166           returning from system calls. This ha    119           returning from system calls. This has the effect of leaving
167           the stack initialized to the poison     120           the stack initialized to the poison value, which both reduces
168           the lifetime of any sensitive stack     121           the lifetime of any sensitive stack contents and reduces
169           potential for uninitialized stack va    122           potential for uninitialized stack variable exploits or information
170           exposures (it does not cover functio    123           exposures (it does not cover functions reaching the same stack
171           depth as prior functions during the     124           depth as prior functions during the same syscall). This blocks
172           most uninitialized stack variable at    125           most uninitialized stack variable attacks, with the performance
173           impact being driven by the depth of     126           impact being driven by the depth of the stack usage, rather than
174           the function calling complexity.        127           the function calling complexity.
175                                                   128 
176           The performance impact on a single C    129           The performance impact on a single CPU system kernel compilation
177           sees a 1% slowdown, other systems an    130           sees a 1% slowdown, other systems and workloads may vary and you
178           are advised to test this feature on     131           are advised to test this feature on your expected workload before
179           deploying it.                           132           deploying it.
180                                                   133 
181           This plugin was ported from grsecuri    134           This plugin was ported from grsecurity/PaX. More information at:
182            * https://grsecurity.net/              135            * https://grsecurity.net/
183            * https://pax.grsecurity.net/          136            * https://pax.grsecurity.net/
184                                                   137 
185 config GCC_PLUGIN_STACKLEAK_VERBOSE            << 
186         bool "Report stack depth analysis inst << 
187         depends on GCC_PLUGIN_STACKLEAK        << 
188         depends on !COMPILE_TEST        # too  << 
189         help                                   << 
190           This option will cause a warning to  << 
191           stackleak plugin finds a function it << 
192           instrumented. This is useful for com << 
193           builds.                              << 
194                                                << 
195 config STACKLEAK_TRACK_MIN_SIZE                   138 config STACKLEAK_TRACK_MIN_SIZE
196         int "Minimum stack frame size of funct    139         int "Minimum stack frame size of functions tracked by STACKLEAK"
197         default 100                               140         default 100
198         range 0 4096                              141         range 0 4096
199         depends on GCC_PLUGIN_STACKLEAK           142         depends on GCC_PLUGIN_STACKLEAK
200         help                                      143         help
201           The STACKLEAK gcc plugin instruments    144           The STACKLEAK gcc plugin instruments the kernel code for tracking
202           the lowest border of the kernel stac    145           the lowest border of the kernel stack (and for some other purposes).
203           It inserts the stackleak_track_stack    146           It inserts the stackleak_track_stack() call for the functions with
204           a stack frame size greater than or e    147           a stack frame size greater than or equal to this parameter.
205           If unsure, leave the default value 1    148           If unsure, leave the default value 100.
206                                                   149 
207 config STACKLEAK_METRICS                          150 config STACKLEAK_METRICS
208         bool "Show STACKLEAK metrics in the /p    151         bool "Show STACKLEAK metrics in the /proc file system"
209         depends on GCC_PLUGIN_STACKLEAK           152         depends on GCC_PLUGIN_STACKLEAK
210         depends on PROC_FS                        153         depends on PROC_FS
211         help                                      154         help
212           If this is set, STACKLEAK metrics fo    155           If this is set, STACKLEAK metrics for every task are available in
213           the /proc file system. In particular    156           the /proc file system. In particular, /proc/<pid>/stack_depth
214           shows the maximum kernel stack consu    157           shows the maximum kernel stack consumption for the current and
215           previous syscalls. Although this inf    158           previous syscalls. Although this information is not precise, it
216           can be useful for estimating the STA    159           can be useful for estimating the STACKLEAK performance impact for
217           your workloads.                         160           your workloads.
218                                                   161 
219 config STACKLEAK_RUNTIME_DISABLE                  162 config STACKLEAK_RUNTIME_DISABLE
220         bool "Allow runtime disabling of kerne    163         bool "Allow runtime disabling of kernel stack erasing"
221         depends on GCC_PLUGIN_STACKLEAK           164         depends on GCC_PLUGIN_STACKLEAK
222         help                                      165         help
223           This option provides 'stack_erasing'    166           This option provides 'stack_erasing' sysctl, which can be used in
224           runtime to control kernel stack eras    167           runtime to control kernel stack erasing for kernels built with
225           CONFIG_GCC_PLUGIN_STACKLEAK.            168           CONFIG_GCC_PLUGIN_STACKLEAK.
226                                                   169 
227 config INIT_ON_ALLOC_DEFAULT_ON                   170 config INIT_ON_ALLOC_DEFAULT_ON
228         bool "Enable heap memory zeroing on al    171         bool "Enable heap memory zeroing on allocation by default"
229         depends on !KMSAN                      << 
230         help                                      172         help
231           This has the effect of setting "init    173           This has the effect of setting "init_on_alloc=1" on the kernel
232           command line. This can be disabled w    174           command line. This can be disabled with "init_on_alloc=0".
233           When "init_on_alloc" is enabled, all    175           When "init_on_alloc" is enabled, all page allocator and slab
234           allocator memory will be zeroed when    176           allocator memory will be zeroed when allocated, eliminating
235           many kinds of "uninitialized heap me    177           many kinds of "uninitialized heap memory" flaws, especially
236           heap content exposures. The performa    178           heap content exposures. The performance impact varies by
237           workload, but most cases see <1% imp    179           workload, but most cases see <1% impact. Some synthetic
238           workloads have measured as high as 7    180           workloads have measured as high as 7%.
239                                                   181 
240 config INIT_ON_FREE_DEFAULT_ON                    182 config INIT_ON_FREE_DEFAULT_ON
241         bool "Enable heap memory zeroing on fr    183         bool "Enable heap memory zeroing on free by default"
242         depends on !KMSAN                      << 
243         help                                      184         help
244           This has the effect of setting "init    185           This has the effect of setting "init_on_free=1" on the kernel
245           command line. This can be disabled w    186           command line. This can be disabled with "init_on_free=0".
246           Similar to "init_on_alloc", when "in    187           Similar to "init_on_alloc", when "init_on_free" is enabled,
247           all page allocator and slab allocato    188           all page allocator and slab allocator memory will be zeroed
248           when freed, eliminating many kinds o    189           when freed, eliminating many kinds of "uninitialized heap memory"
249           flaws, especially heap content expos    190           flaws, especially heap content exposures. The primary difference
250           with "init_on_free" is that data lif    191           with "init_on_free" is that data lifetime in memory is reduced,
251           as anything freed is wiped immediate    192           as anything freed is wiped immediately, making live forensics or
252           cold boot memory attacks unable to r    193           cold boot memory attacks unable to recover freed memory contents.
253           The performance impact varies by wor    194           The performance impact varies by workload, but is more expensive
254           than "init_on_alloc" due to the nega    195           than "init_on_alloc" due to the negative cache effects of
255           touching "cold" memory areas. Most c    196           touching "cold" memory areas. Most cases see 3-5% impact. Some
256           synthetic workloads have measured as    197           synthetic workloads have measured as high as 8%.
257                                                   198 
258 config CC_HAS_ZERO_CALL_USED_REGS              << 
259         def_bool $(cc-option,-fzero-call-used- << 
260         # https://github.com/ClangBuiltLinux/l << 
261         # https://github.com/llvm/llvm-project << 
262         depends on !CC_IS_CLANG || CLANG_VERSI << 
263                                                << 
264 config ZERO_CALL_USED_REGS                     << 
265         bool "Enable register zeroing on funct << 
266         depends on CC_HAS_ZERO_CALL_USED_REGS  << 
267         help                                   << 
268           At the end of functions, always zero << 
269           contents. This helps ensure that tem << 
270           leaked beyond the function boundary. << 
271           contents are less likely to be avail << 
272           and information exposures. Additiona << 
273           number of useful ROP gadgets by abou << 
274           generated "write-what-where" gadgets << 
275           image. This has a less than 1% perfo << 
276           workloads. Image size growth depends << 
277           be evaluated for suitability. For ex << 
278           than 1%, and arm64 grows by about 5% << 
279                                                << 
280 endmenu                                           199 endmenu
281                                                << 
282 menu "Hardening of kernel data structures"     << 
283                                                << 
284 config LIST_HARDENED                           << 
285         bool "Check integrity of linked list m << 
286         help                                   << 
287           Minimal integrity checking in the li << 
288           to catch memory corruptions that are << 
289           immediate access fault.              << 
290                                                << 
291           If unsure, say N.                    << 
292                                                << 
293 config BUG_ON_DATA_CORRUPTION                  << 
294         bool "Trigger a BUG when data corrupti << 
295         select LIST_HARDENED                   << 
296         help                                   << 
297           Select this option if the kernel sho << 
298           data corruption in kernel memory str << 
299           for validity.                        << 
300                                                << 
301           If unsure, say N.                    << 
302                                                << 
303 endmenu                                        << 
304                                                << 
305 config CC_HAS_RANDSTRUCT                       << 
306         def_bool $(cc-option,-frandomize-layou << 
307         # Randstruct was first added in Clang  << 
308         # Clang 16 due to https://github.com/l << 
309         depends on !CC_IS_CLANG || CLANG_VERSI << 
310                                                << 
311 choice                                         << 
312         prompt "Randomize layout of sensitive  << 
313         default RANDSTRUCT_FULL if COMPILE_TES << 
314         default RANDSTRUCT_NONE                << 
315         help                                   << 
316           If you enable this, the layouts of s << 
317           function pointers (and have not been << 
318           __no_randomize_layout), or structure << 
319           marked with __randomize_layout, will << 
320           This can introduce the requirement o << 
321           exposure vulnerability for exploits  << 
322           types.                               << 
323                                                << 
324           Enabling this feature will introduce << 
325           slightly increase memory usage, and  << 
326           tools like Volatility against the sy << 
327           source tree isn't cleaned after kern << 
328                                                << 
329           The seed used for compilation is in  << 
330           It remains after a "make clean" to a << 
331           be compiled with the existing seed a << 
332           "make mrproper" or "make distclean". << 
333           public, or the structure layout can  << 
334                                                << 
335         config RANDSTRUCT_NONE                 << 
336                 bool "Disable structure layout << 
337                 help                           << 
338                   Build normally: no structure << 
339                                                << 
340         config RANDSTRUCT_FULL                 << 
341                 bool "Fully randomize structur << 
342                 depends on CC_HAS_RANDSTRUCT | << 
343                 select MODVERSIONS if MODULES  << 
344                 help                           << 
345                   Fully randomize the member l << 
346                   structures as much as possib << 
347                   memory size and performance  << 
348                                                << 
349                   One difference between the C << 
350                   implementations is the handl << 
351                   plugin treats them as fully  << 
352                   introducing sometimes signif << 
353                   to keep adjacent bitfields t << 
354                   ordering randomized.         << 
355                                                << 
356         config RANDSTRUCT_PERFORMANCE          << 
357                 bool "Limit randomization of s << 
358                 depends on GCC_PLUGINS         << 
359                 select MODVERSIONS if MODULES  << 
360                 help                           << 
361                   Randomization of sensitive k << 
362                   best effort at restricting r << 
363                   groups of members. It will f << 
364                   in structures. This reduces  << 
365                   at the cost of weakened rand << 
366 endchoice                                      << 
367                                                << 
368 config RANDSTRUCT                              << 
369         def_bool !RANDSTRUCT_NONE              << 
370                                                << 
371 config GCC_PLUGIN_RANDSTRUCT                   << 
372         def_bool GCC_PLUGINS && RANDSTRUCT     << 
373         help                                   << 
374           Use GCC plugin to randomize structur << 
375                                                << 
376           This plugin was ported from grsecuri << 
377           information at:                      << 
378            * https://grsecurity.net/           << 
379            * https://pax.grsecurity.net/       << 
380                                                   200 
381 endmenu                                           201 endmenu
                                                      

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php