Android 8.0 added kernel hardening features to help mitigate kernel vulnerabilities and find bugs in kernel drivers. The features are in kernel/common in branches android-3.18, android-4.4, and android-4.9.
To acquire these features, device manufacturers and SOCs should merge all
hardening patches from kernel/common to their kernel tree and
enable the following kernel configuration options:
CONFIG_HARDENED_USERCOPY=yCONFIG_ARM64_SW_TTBR0_PAN=yCONFIG_CPU_SW_DOMAIN_PAN=yCONFIG_RANDOMIZE_BASE=y
KASLR also requires bootloader support for passing hardware entropy through
either the device tree node /chosen/kaslr-seed or by implementing
EFI_RNG_PROTOCOL.
Also ensure existing hardening features are enabled:
CONFIG_CC_STACKPROTECTOR_STRONG=yCONFIG_DEBUG_RODATA=y or
CONFIG_STRICT_KERNEL_RWX=yCONFIG_X86_SMAP=y
To test your implementation, add CONFIG_LKDTM=y to the kernel
configuration and confirm that each of the following commands lead to a kernel
panic:
echo ACCESS_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECTecho EXEC_USERSPACE > /sys/kernel/debug/provoke-crash/DIRECTecho WRITE_RO > /sys/kernel/debug/provoke-crash/DIRECTecho WRITE_RO_AFTER_INIT > /sys/kernel/debug/provoke-crash/DIRECTecho WRITE_KERN > /sys/kernel/debug/provoke-crash/DIRECTecho EXEC_STACK > /sys/kernel/debug/provoke-crash/DIRECTecho EXEC_RODATA > /sys/kernel/debug/provoke-crash/DIRECTecho EXEC_KMALLOC > /sys/kernel/debug/provoke-crash/DIRECTecho EXEC_VMALLOC > /sys/kernel/debug/provoke-crash/DIRECTecho CORRUPT_STACK > /sys/kernel/debug/provoke-crash/DIRECT
For android-4.9:
echo USERCOPY_HEAP_SIZE_TO > /sys/kernel/debug/provoke-crash/DIRECTecho USERCOPY_HEAP_SIZE_FROM > /sys/kernel/debug/provoke-crash/DIRECT
These changes are likely to expose bugs in kernel drivers, which need to be fixed either by the device manufacturer or the owner of the kernel driver.
copy_to_user()/copy_from_user()
functions instead.