Merge pull request #300815 from amarshall/linux-common-hardening

linux: set various common hardening config

nixos/tests/kernel-generic.nix

@@ -47,6 +47,9 @@ in mapAttrs (_: lP: testsForLinuxPackages lP) kernels // {
   passthru = {
     inherit testsForLinuxPackages;
 
+    # Useful for development testing of all Kernel configs without building full Kernel
+    configfiles = mapAttrs (_: lP: lP.kernel.configfile) kernels;
+
     testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel);
   };
 }

pkgs/os-specific/linux/kernel/common-config.nix

@@ -667,20 +667,29 @@ let
     };
 
     security = {
+      # Report BUG() conditions and kill the offending process.
+      BUG = yes;
+      BUG_ON_DATA_CORRUPTION = yes;
+
       FORTIFY_SOURCE                   = option yes;
 
       # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
       DEBUG_LIST                       = yes;
+
       HARDENED_USERCOPY                = yes;
       RANDOMIZE_BASE                   = option yes;
+      STRICT_KERNEL_RWX                = yes;
+      STRICT_MODULE_RWX                = yes;
       STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
       IO_STRICT_DEVMEM                 = mkDefault yes;
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
+
       # Prevent processes from ptracing non-children processes
       SECURITY_YAMA                    = option yes;
       # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
       # This does not have any effect if a program does not support it
       SECURITY_LANDLOCK                = whenAtLeast "5.13" yes;
+
       DEVKMEM                          = whenOlder "5.13" no; # Disable /dev/kmem
 
       USER_NS                          = yes; # Support for user namespaces
@@ -715,6 +724,10 @@ let
 
       # Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
       PAGE_POISONING                   = yes;
+      # Randomize page allocator when page_alloc.shuffle=1
+      SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
+
+      INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
 
       # Enable stack smashing protections in schedule()
       # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
@@ -739,6 +752,10 @@ let
       # Mitigate straight line speculation at the cost of some file size
       SLS = whenBetween "5.17" "6.9" yes;
       MITIGATION_SLS = whenAtLeast "6.9" yes;
+
+      DEFAULT_MMAP_MIN_ADDR = freeform "65536";
+    } // optionalAttrs stdenv.hostPlatform.isAarch64 {
+      DEFAULT_MMAP_MIN_ADDR = freeform "32768";
     };
 
     microcode = {

pkgs/os-specific/linux/kernel/hardened/config.nix

@@ -17,9 +17,6 @@ with (lib.kernel.whenHelpers version);
 assert (versionAtLeast version "4.9");
 
 {
-  # Report BUG() conditions and kill the offending process.
-  BUG = yes;
-
   # Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
   # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
   # implicitly marks LSM hooks read-only after init.
@@ -31,8 +28,6 @@ assert (versionAtLeast version "4.9");
   SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
   SECURITY_WRITABLE_HOOKS  = option no;
 
-  STRICT_KERNEL_RWX = yes;
-
   # Perform additional validation of commonly targeted structures.
   DEBUG_CREDENTIALS     = whenOlder "6.6" yes;
   DEBUG_NOTIFIERS       = yes;
@@ -51,16 +46,11 @@ assert (versionAtLeast version "4.9");
   # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
   CONFIG_LDISC_AUTOLOAD = option no;
 
-  # Randomize page allocator when page_alloc.shuffle=1
-  SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
-
   # Wipe higher-level memory allocations on free() with page_poison=1
-  PAGE_POISONING           = yes;
   PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
   PAGE_POISONING_ZERO      = whenOlder "5.11" yes;
 
-  # Enable init_on_alloc and init_on_free by default
-  INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
+  # Enable init_on_free by default
   INIT_ON_FREE_DEFAULT_ON  = whenAtLeast "5.3" yes;
 
   # Wipe all caller-used registers on exit from a function
@@ -113,9 +103,6 @@ assert (versionAtLeast version "4.9");
   CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
   CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
 
-  # Detect out-of-bound reads/writes and use-after-free
-  KFENCE = whenAtLeast "5.12" yes;
-
   # CONFIG_DEVMEM=n causes these to not exist anymore.
   STRICT_DEVMEM    = option no;
   IO_STRICT_DEVMEM = option no;
@@ -126,8 +113,4 @@ assert (versionAtLeast version "4.9");
 
   # not needed for less than a decade old glibc versions
   LEGACY_VSYSCALL_NONE = yes;
-
-  # Straight-Line-Speculation
-  # https://lwn.net/Articles/877845/
-  SLS = option yes;
 }