Merge pull request #300815 from amarshall/linux-common-hardening

linux: set various common hardening config
This commit is contained in:
K900 2024-06-12 19:01:57 +03:00 committed by GitHub
commit 93fb179750
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 21 additions and 18 deletions

View File

@ -47,6 +47,9 @@ in mapAttrs (_: lP: testsForLinuxPackages lP) kernels // {
passthru = { passthru = {
inherit testsForLinuxPackages; inherit testsForLinuxPackages;
# Useful for development testing of all Kernel configs without building full Kernel
configfiles = mapAttrs (_: lP: lP.kernel.configfile) kernels;
testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel); testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel);
}; };
} }

View File

@ -667,20 +667,29 @@ let
}; };
security = { security = {
# Report BUG() conditions and kill the offending process.
BUG = yes;
BUG_ON_DATA_CORRUPTION = yes;
FORTIFY_SOURCE = option yes; FORTIFY_SOURCE = option yes;
# https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html # https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
DEBUG_LIST = yes; DEBUG_LIST = yes;
HARDENED_USERCOPY = yes; HARDENED_USERCOPY = yes;
RANDOMIZE_BASE = option yes; RANDOMIZE_BASE = option yes;
STRICT_KERNEL_RWX = yes;
STRICT_MODULE_RWX = yes;
STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
IO_STRICT_DEVMEM = mkDefault yes; IO_STRICT_DEVMEM = mkDefault yes;
SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
# Prevent processes from ptracing non-children processes # Prevent processes from ptracing non-children processes
SECURITY_YAMA = option yes; SECURITY_YAMA = option yes;
# The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes. # The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
# This does not have any effect if a program does not support it # This does not have any effect if a program does not support it
SECURITY_LANDLOCK = whenAtLeast "5.13" yes; SECURITY_LANDLOCK = whenAtLeast "5.13" yes;
DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem
USER_NS = yes; # Support for user namespaces USER_NS = yes; # Support for user namespaces
@ -715,6 +724,10 @@ let
# Enable support for page poisoning. Still needs to be enabled on the command line to actually work. # Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
PAGE_POISONING = yes; PAGE_POISONING = yes;
# Randomize page allocator when page_alloc.shuffle=1
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
# Enable stack smashing protections in schedule() # Enable stack smashing protections in schedule()
# See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f # See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
@ -739,6 +752,10 @@ let
# Mitigate straight line speculation at the cost of some file size # Mitigate straight line speculation at the cost of some file size
SLS = whenBetween "5.17" "6.9" yes; SLS = whenBetween "5.17" "6.9" yes;
MITIGATION_SLS = whenAtLeast "6.9" yes; MITIGATION_SLS = whenAtLeast "6.9" yes;
DEFAULT_MMAP_MIN_ADDR = freeform "65536";
} // optionalAttrs stdenv.hostPlatform.isAarch64 {
DEFAULT_MMAP_MIN_ADDR = freeform "32768";
}; };
microcode = { microcode = {

View File

@ -17,9 +17,6 @@ with (lib.kernel.whenHelpers version);
assert (versionAtLeast version "4.9"); assert (versionAtLeast version "4.9");
{ {
# Report BUG() conditions and kill the offending process.
BUG = yes;
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
# implicitly marks LSM hooks read-only after init. # implicitly marks LSM hooks read-only after init.
@ -31,8 +28,6 @@ assert (versionAtLeast version "4.9");
SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
SECURITY_WRITABLE_HOOKS = option no; SECURITY_WRITABLE_HOOKS = option no;
STRICT_KERNEL_RWX = yes;
# Perform additional validation of commonly targeted structures. # Perform additional validation of commonly targeted structures.
DEBUG_CREDENTIALS = whenOlder "6.6" yes; DEBUG_CREDENTIALS = whenOlder "6.6" yes;
DEBUG_NOTIFIERS = yes; DEBUG_NOTIFIERS = yes;
@ -51,16 +46,11 @@ assert (versionAtLeast version "4.9");
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
CONFIG_LDISC_AUTOLOAD = option no; CONFIG_LDISC_AUTOLOAD = option no;
# Randomize page allocator when page_alloc.shuffle=1
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
# Wipe higher-level memory allocations on free() with page_poison=1 # Wipe higher-level memory allocations on free() with page_poison=1
PAGE_POISONING = yes;
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes; PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
PAGE_POISONING_ZERO = whenOlder "5.11" yes; PAGE_POISONING_ZERO = whenOlder "5.11" yes;
# Enable init_on_alloc and init_on_free by default # Enable init_on_free by default
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes; INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
# Wipe all caller-used registers on exit from a function # Wipe all caller-used registers on exit from a function
@ -113,9 +103,6 @@ assert (versionAtLeast version "4.9");
CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no); CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
# Detect out-of-bound reads/writes and use-after-free
KFENCE = whenAtLeast "5.12" yes;
# CONFIG_DEVMEM=n causes these to not exist anymore. # CONFIG_DEVMEM=n causes these to not exist anymore.
STRICT_DEVMEM = option no; STRICT_DEVMEM = option no;
IO_STRICT_DEVMEM = option no; IO_STRICT_DEVMEM = option no;
@ -126,8 +113,4 @@ assert (versionAtLeast version "4.9");
# not needed for less than a decade old glibc versions # not needed for less than a decade old glibc versions
LEGACY_VSYSCALL_NONE = yes; LEGACY_VSYSCALL_NONE = yes;
# Straight-Line-Speculation
# https://lwn.net/Articles/877845/
SLS = option yes;
} }