1. Patchew
  2. linux
  3. View series

[PATCH] hardening: Adjust dependencies in selection of MODVERSIONS

Nathan Chancellor posted 1 patch 2 months ago 
security/Kconfig.hardening | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH] hardening: Adjust dependencies in selection of MODVERSIONS
Posted by Nathan Chancellor 2 months ago 
MODVERSIONS recently grew a dependency on !COMPILE_TEST so that Rust
could be more easily tested. However, this introduces a Kconfig warning
when building allmodconfig with a clang version that supports RANDSTRUCT
natively because RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE select
MODVERSIONS when MODULES is enabled, bypassing the !COMPILE_TEST
dependency:

  WARNING: unmet direct dependencies detected for MODVERSIONS
    Depends on [n]: MODULES [=y] && !COMPILE_TEST [=y]
    Selected by [y]:
    - RANDSTRUCT_FULL [=y] && (CC_HAS_RANDSTRUCT [=y] || GCC_PLUGINS [=n]) && MODULES [=y]

Add the !COMPILE_TEST dependency to the selections to clear up the
warning.

Fixes: 1f9c4a996756 ("Kbuild: make MODVERSIONS support depend on not being a compile test build")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
---
 security/Kconfig.hardening | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening
index 2cff851ebfd7e13b955693be9f5818ac6f8bbf03..c9d5ca3d8d08de237102f1ffe3f310636ae0d6ff 100644
--- a/security/Kconfig.hardening
+++ b/security/Kconfig.hardening
@@ -340,7 +340,7 @@ choice
 	config RANDSTRUCT_FULL
 		bool "Fully randomize structure layout"
 		depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS
-		select MODVERSIONS if MODULES
+		select MODVERSIONS if MODULES && !COMPILE_TEST
 		help
 		  Fully randomize the member layout of sensitive
 		  structures as much as possible, which may have both a
@@ -356,7 +356,7 @@ choice
 	config RANDSTRUCT_PERFORMANCE
 		bool "Limit randomization of structure layout to cache-lines"
 		depends on GCC_PLUGINS
-		select MODVERSIONS if MODULES
+		select MODVERSIONS if MODULES && !COMPILE_TEST
 		help
 		  Randomization of sensitive kernel structures will make a
 		  best effort at restricting randomization to cacheline-sized

---
base-commit: 3efc57369a0ce8f76bf0804f7e673982384e4ac9
change-id: 20240928-fix-randstruct-modversions-kconfig-warning-013be4a0f673

Best regards,
-- 
Nathan Chancellor <nathan@kernel.org>
Re: [PATCH] hardening: Adjust dependencies in selection of MODVERSIONS
Posted by Linus Torvalds 2 months ago 
On Sat, 28 Sept 2024 at 11:13, Nathan Chancellor <nathan@kernel.org> wrote:
>
> MODVERSIONS recently grew a dependency on !COMPILE_TEST so that Rust
> could be more easily tested. However, this introduces a Kconfig warning
> when building allmodconfig with a clang version that supports RANDSTRUCT
> natively because RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE select
> MODVERSIONS when MODULES is enabled, bypassing the !COMPILE_TEST
> dependency:

Argh. I should have checked, but I didn't think anybody would 'select'
MODVERSIONS.

That's such an odd thing to do in general, but I guess for RANDSTRUCT
it actually makes sense (since a plain version check is nonsensical).

Now that 'select' statement is truly crazy and another level of odd
duck, but I guess it still makes perfect sense ("give me the build
coverage, but this is never going to be run, so don't bother with
MODVERSIONS").

So Ack on the patch. And now I did check that there doesn't seem to be
anything else with odd MODVERSIONS Kconfig rules.

            Linus
Re: [PATCH] hardening: Adjust dependencies in selection of MODVERSIONS
Posted by Nathan Chancellor 1 month, 4 weeks ago 
On Sun, Sep 29, 2024 at 08:35:44AM -0700, Linus Torvalds wrote:
> On Sat, 28 Sept 2024 at 11:13, Nathan Chancellor <nathan@kernel.org> wrote:
> >
> > MODVERSIONS recently grew a dependency on !COMPILE_TEST so that Rust
> > could be more easily tested. However, this introduces a Kconfig warning
> > when building allmodconfig with a clang version that supports RANDSTRUCT
> > natively because RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE select
> > MODVERSIONS when MODULES is enabled, bypassing the !COMPILE_TEST
> > dependency:
> 
> Argh. I should have checked, but I didn't think anybody would 'select'
> MODVERSIONS.
> 
> That's such an odd thing to do in general, but I guess for RANDSTRUCT
> it actually makes sense (since a plain version check is nonsensical).
> 
> Now that 'select' statement is truly crazy and another level of odd
> duck, but I guess it still makes perfect sense ("give me the build
> coverage, but this is never going to be run, so don't bother with
> MODVERSIONS").

Yeah, I came to the same conclusion on both fronts (perhaps I should
have actually put that in the patch description).

> So Ack on the patch. And now I did check that there doesn't seem to be
> anything else with odd MODVERSIONS Kconfig rules.

Thanks, it looks like you'll get this via Kees soon.

Cheers,
Nathan
Re: [PATCH] hardening: Adjust dependencies in selection of MODVERSIONS
Posted by Kees Cook 2 months ago 
On Sat, 28 Sep 2024 11:13:13 -0700, Nathan Chancellor wrote:
> MODVERSIONS recently grew a dependency on !COMPILE_TEST so that Rust
> could be more easily tested. However, this introduces a Kconfig warning
> when building allmodconfig with a clang version that supports RANDSTRUCT
> natively because RANDSTRUCT_FULL and RANDSTRUCT_PERFORMANCE select
> MODVERSIONS when MODULES is enabled, bypassing the !COMPILE_TEST
> dependency:
> 
> [...]

Applied to for-linus/hardening, thanks!

[1/1] hardening: Adjust dependencies in selection of MODVERSIONS
      https://git.kernel.org/kees/c/dd3a7ee91e0c

Take care,

-- 
Kees Cook

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.