| menu "Kernel hacking" |
| |
| source "lib/Kconfig.debug" |
| |
| config ARM64_PTDUMP |
| bool "Export kernel pagetable layout to userspace via debugfs" |
| depends on DEBUG_KERNEL |
| select DEBUG_FS |
| help |
| Say Y here if you want to show the kernel pagetable layout in a |
| debugfs file. This information is only useful for kernel developers |
| who are working in architecture specific areas of the kernel. |
| It is probably not a good idea to enable this feature in a production |
| kernel. |
| If in doubt, say "N" |
| |
| config STRICT_DEVMEM |
| bool "Filter access to /dev/mem" |
| depends on MMU |
| help |
| If this option is disabled, you allow userspace (root) access to all |
| of memory, including kernel and userspace memory. Accidental |
| access to this is obviously disastrous, but specific access can |
| be used by people debugging the kernel. |
| |
| If this option is switched on, the /dev/mem file only allows |
| userspace access to memory mapped peripherals. |
| |
| If in doubt, say Y. |
| |
| config PID_IN_CONTEXTIDR |
| bool "Write the current PID to the CONTEXTIDR register" |
| help |
| Enabling this option causes the kernel to write the current PID to |
| the CONTEXTIDR register, at the expense of some additional |
| instructions during context switch. Say Y here only if you are |
| planning to use hardware trace tools with this kernel. |
| |
| config ARM64_RANDOMIZE_TEXT_OFFSET |
| bool "Randomize TEXT_OFFSET at build time" |
| help |
| Say Y here if you want the image load offset (AKA TEXT_OFFSET) |
| of the kernel to be randomized at build-time. When selected, |
| this option will cause TEXT_OFFSET to be randomized upon any |
| build of the kernel, and the offset will be reflected in the |
| text_offset field of the resulting Image. This can be used to |
| fuzz-test bootloaders which respect text_offset. |
| |
| This option is intended for bootloader and/or kernel testing |
| only. Bootloaders must make no assumptions regarding the value |
| of TEXT_OFFSET and platforms must not require a specific |
| value. |
| |
| config DEBUG_SET_MODULE_RONX |
| bool "Set loadable kernel module data as NX and text as RO" |
| depends on MODULES |
| help |
| This option helps catch unintended modifications to loadable |
| kernel module's text and read-only data. It also prevents execution |
| of module data. Such protection may interfere with run-time code |
| patching and dynamic kernel tracing - and they might also protect |
| against certain classes of kernel exploits. |
| If in doubt, say "N". |
| |
| config DEBUG_RODATA |
| bool "Make kernel text and rodata read-only" |
| depends on !UH_RKP |
| help |
| If this is set, kernel text and rodata will be made read-only. This |
| is to help catch accidental or malicious attempts to change the |
| kernel's executable code. |
| |
| If in doubt, say Y |
| |
| config DEBUG_ALIGN_RODATA |
| depends on DEBUG_RODATA && ARM64_4K_PAGES |
| bool "Align linker sections up to SECTION_SIZE" |
| help |
| If this option is enabled, sections that may potentially be marked as |
| read only or non-executable will be aligned up to the section size of |
| the kernel. This prevents sections from being split into pages and |
| avoids a potential TLB penalty. The downside is an increase in |
| alignment and potentially wasted space. Turn on this option if |
| performance is more important than memory pressure. |
| |
| If in doubt, say N |
| |
| comment "Samsung Rooting Restriction Feature" |
| config SEC_RESTRICT_ROOTING |
| bool "Samsung Rooting Restriction Feature" |
| depends on SAMSUNG_PRODUCT_SHIP |
| default n |
| help |
| Restrict unauthorized executions with root permission. |
| |
| config SEC_RESTRICT_SETUID |
| bool "Restrict changing root privilege except allowed process" |
| depends on SEC_RESTRICT_ROOTING |
| default y |
| help |
| Say Y here if you want to restrict functions related setuid. Only allowed |
| process can chanage ROOT privilege. Saying N will not restrict changing |
| permission. |
| |
| config SEC_RESTRICT_FORK |
| bool "Restrict forking process except allowed process" |
| depends on SEC_RESTRICT_ROOTING |
| default y |
| help |
| Say Y here if you want to restrict function related fork. Process matched |
| special condition will be not forked. Saying N will not restrict forking |
| process. |
| |
| config SEC_RESTRICT_ROOTING_LOG |
| bool "Print restricted result to kernel log" |
| depends on SEC_RESTRICT_ROOTING |
| default n |
| help |
| Say Y here if you want to see result of restricting SETUID or FORK. It will |
| be displayed by kernel error log. Saying N will not be displayed anything. |
| |
| source "drivers/hwtracing/coresight/Kconfig" |
| |
| endmenu |