diff options
| author | Kees Cook <[email protected]> | 2024-04-30 17:02:22 -0700 | 
|---|---|---|
| committer | Kees Cook <[email protected]> | 2024-06-19 12:41:08 -0700 | 
| commit | d6f635bcaca8d38dfa47ee20658705f9eff156b5 (patch) | |
| tree | 22797324cba2df59d8c04d42d95e71884bc39e85 /security/selinux/hooks.c | |
| parent | 51005a59bcbe1add8802105437b3707ea257f2ea (diff) | |
x86/alternatives: Make FineIBT mode Kconfig selectable
Since FineIBT performs checking at the destination, it is weaker against
attacks that can construct arbitrary executable memory contents. As such,
some system builders want to run with FineIBT disabled by default. Allow
the "cfi=kcfi" boot param mode to be selectable through Kconfig via the
newly introduced CONFIG_CFI_AUTO_DEFAULT.
Reviewed-by: Sami Tolvanen <[email protected]>
Reviewed-by: Nathan Chancellor <[email protected]>
Tested-by: Nathan Chancellor <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Kees Cook <[email protected]>
Diffstat (limited to 'security/selinux/hooks.c')
0 files changed, 0 insertions, 0 deletions