linux: Enable HARDENED_USERCOPY

Enabled in [Arch][1], [Debian][2], [Fedora][3]. Recommended by [Kernel Self Protection Project][4]. Originally [reported to have no noticeable performance impact][5]. [1]: 66d72ee54a/trunk/config (L10252) [2]: 07731f5956/debian/config/config (L7710) [3]: 6d6ad72f0c/f/kernel-x86_64-fedora.config (_2202) [4]: https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings [5]: https://lwn.net/Articles/695991/
2024-11-27 09:23:01 +00:00 · 2022-08-27 11:40:23 -04:00 · 2022-08-27 11:40:23 -04:00 · 7c49efdd2a
commit 7c49efdd2a
parent ff346a442d
1 changed files with 1 additions and 0 deletions
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@ -481,6 +481,7 @@ let
      DEBUG_LIST                       = yes;
      # Detect writes to read-only module pages
      DEBUG_SET_MODULE_RONX            = whenOlder "4.11" (option yes);
+      HARDENED_USERCOPY                = yes;
      RANDOMIZE_BASE                   = option yes;
      STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
      IO_STRICT_DEVMEM                 = mkDefault yes;