Android 8.0 added kernel hardening features to help mitigate kernel vulnerabilities and find bugs in kernel drivers. The features are in kernel/common in branches android-3.18, android-4.4, and android-4.9.
To acquire these features, device manufacturers and SOCs should merge all
hardening patches from kernel/common
to their kernel tree and
enable the following kernel configuration options:
CONFIG_HARDENED_USERCOPY=y
CONFIG_ARM64_SW_TTBR0_PAN=y
CONFIG_CPU_SW_DOMAIN_PAN=y
CONFIG_RANDOMIZE_BASE=y
KASLR also requires bootloader support for passing hardware entropy through
either the device tree node /chosen/kaslr-seed
or by implementing
EFI_RNG_PROTOCOL
.
Also ensure existing hardening features are enabled:
CONFIG_CC_STACKPROTECTOR_STRONG=y
CONFIG_DEBUG_RODATA=y
or
CONFIG_STRICT_KERNEL_RWX=y
CONFIG_X86_SMAP=y
To test your implementation, add CONFIG_LKDTM=y
to the kernel
configuration and confirm that each of the following commands lead to a kernel
panic:
echo ACCESS_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT
echo EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECT
echo WRITE_RO > /sys/kernel/debug/provoke-crash/DIRECT
echo WRITE_RO_AFTER_INIT > /sys/kernel/debug/provoke-crash/DIRECT
echo WRITE_KERN > /sys/kernel/debug/provoke-crash/DIRECT
echo EXEC_STACK > /sys/kernel/debug/provoke-crash/DIRECT
echo EXEC_RODATA > /sys/kernel/debug/provoke-crash/DIRECT
echo EXEC_KMALLOC > /sys/kernel/debug/provoke-crash/DIRECT
echo EXEC_VMALLOC > /sys/kernel/debug/provoke-crash/DIRECT
echo CORRUPT_STACK > /sys/kernel/debug/provoke-crash/DIRECT
For android-4.9:
echo USERCOPY_HEAP_SIZE_TO > /sys/kernel/debug/provoke-crash/DIRECT
echo USERCOPY_HEAP_SIZE_FROM > /sys/kernel/debug/provoke-crash/DIRECT
These changes are likely to expose bugs in kernel drivers, which need to be fixed either by the device manufacturer or the owner of the kernel driver.
copy_to_user()
/copy_from_user()
functions instead.