From aa54797c347c28b554b251c454ef83595cefe1ae Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Sat, 9 May 2026 14:25:54 -0400 Subject: [PATCH] security: allow absent usercopy default symbol --- xr/scripts/check-security-config.sh | 17 ++++++++++++++++- xr/source-sync.md | 3 ++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/xr/scripts/check-security-config.sh b/xr/scripts/check-security-config.sh index 874aaea5ae5de5..9f6a6f0f838ecc 100755 --- a/xr/scripts/check-security-config.sh +++ b/xr/scripts/check-security-config.sh @@ -58,6 +58,21 @@ expect_value() { fi } +expect_value_when_available() { + local key="$1" + local expected="$2" + local actual + + actual="$(config_line "${key}")" + if [[ -z "${actual}" ]]; then + echo " OK: ${key} absent in this kernel Kconfig" + elif [[ "${actual}" == "${key}=${expected}" ]]; then + echo " OK: ${key}=${expected}" + else + fail_key "${key}" "${expected} when available" "${actual}" + fi +} + expect_disabled_or_absent() { local key="$1" local actual @@ -131,7 +146,7 @@ expect_value CONFIG_EVM y # General hardening options that should not regress in this kernel lane. expect_value CONFIG_BPF_UNPRIV_DEFAULT_OFF y expect_value CONFIG_HARDENED_USERCOPY y -expect_value CONFIG_HARDENED_USERCOPY_DEFAULT_ON y +expect_value_when_available CONFIG_HARDENED_USERCOPY_DEFAULT_ON y expect_value CONFIG_SLAB_FREELIST_HARDENED y expect_value CONFIG_STRICT_DEVMEM y expect_value CONFIG_LSM_MMAP_MIN_ADDR 65535 diff --git a/xr/source-sync.md b/xr/source-sync.md index 0b26811ed98676..758c0a7689a699 100644 --- a/xr/source-sync.md +++ b/xr/source-sync.md @@ -16,7 +16,8 @@ As of 2026-05-09: repo-managed reserved-`CVE-2026-43500` RxRPC build route. The zero-fuzz DSC carry conflict is fixed; the next proof gate is preserving the `CONFIG_FW_LOADER_USER_HELPER=n` systemd/Rocky boot contract on this older - Kconfig. + Kconfig while allowing hardening symbols that do not exist yet in `6.12.y` to + be absent rather than disabled. - RT candidate floor: `v7.0.1` with `patch-7.0.1-rt2` - RT blockers: newest stable `v7.0.5` has no matching RT patch yet; `v6.18.13-rt4` fails the CVE-2026-31431 gate because the repo does not carry a 6.18.13 backport