Merge "CDD: Clarify the requirement for kernel stack buffer overflow protections." into oreo-dev
am: ab75ac73a1
Change-Id: I9e7a3349b07a45559129352cc14d397ced014266
diff --git a/9_security-model/9_7_kernel-security-features.md b/9_security-model/9_7_kernel-security-features.md
index a6a5d8d..e4aebaa 100644
--- a/9_security-model/9_7_kernel-security-features.md
+++ b/9_security-model/9_7_kernel-security-features.md
@@ -30,8 +30,9 @@
Kernel integrity and self-protection features are integral to Android
security. Device implementations:
-* [C-0-7] MUST implement kernel stack buffer overflow protections
-(e.g. `CONFIG_CC_STACKPROTECTOR_STRONG`).
+* [C-0-7] MUST implement kernel stack buffer overflow protection mechanisms.
+Examples of such mechanisms are `CC_STACKPROTECTOR_REGULAR` and
+`CONFIG_CC_STACKPROTECTOR_STRONG`.
* [C-0-8] MUST implement strict kernel memory protections where executable
code is read-only, read-only data is non-executable and non-writable, and
writable data is non-executable (e.g. `CONFIG_DEBUG_RODATA` or `CONFIG_STRICT_KERNEL_RWX`).
@@ -72,4 +73,4 @@
If device implementations use kernel other than Linux, they:
* [C-2-1] MUST use an mandatory access control system that is
-equivalent to SELinux.
\ No newline at end of file
+equivalent to SELinux.