mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-11 16:23:26 +00:00
Merge pull request #300815 from amarshall/linux-common-hardening
linux: set various common hardening config
This commit is contained in:
commit
93fb179750
@ -47,6 +47,9 @@ in mapAttrs (_: lP: testsForLinuxPackages lP) kernels // {
|
|||||||
passthru = {
|
passthru = {
|
||||||
inherit testsForLinuxPackages;
|
inherit testsForLinuxPackages;
|
||||||
|
|
||||||
|
# Useful for development testing of all Kernel configs without building full Kernel
|
||||||
|
configfiles = mapAttrs (_: lP: lP.kernel.configfile) kernels;
|
||||||
|
|
||||||
testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel);
|
testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -667,20 +667,29 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
security = {
|
security = {
|
||||||
|
# Report BUG() conditions and kill the offending process.
|
||||||
|
BUG = yes;
|
||||||
|
BUG_ON_DATA_CORRUPTION = yes;
|
||||||
|
|
||||||
FORTIFY_SOURCE = option yes;
|
FORTIFY_SOURCE = option yes;
|
||||||
|
|
||||||
# https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
|
# https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
|
||||||
DEBUG_LIST = yes;
|
DEBUG_LIST = yes;
|
||||||
|
|
||||||
HARDENED_USERCOPY = yes;
|
HARDENED_USERCOPY = yes;
|
||||||
RANDOMIZE_BASE = option yes;
|
RANDOMIZE_BASE = option yes;
|
||||||
|
STRICT_KERNEL_RWX = yes;
|
||||||
|
STRICT_MODULE_RWX = yes;
|
||||||
STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
|
STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
|
||||||
IO_STRICT_DEVMEM = mkDefault yes;
|
IO_STRICT_DEVMEM = mkDefault yes;
|
||||||
SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
|
SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
|
||||||
|
|
||||||
# Prevent processes from ptracing non-children processes
|
# Prevent processes from ptracing non-children processes
|
||||||
SECURITY_YAMA = option yes;
|
SECURITY_YAMA = option yes;
|
||||||
# The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
|
# The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
|
||||||
# This does not have any effect if a program does not support it
|
# This does not have any effect if a program does not support it
|
||||||
SECURITY_LANDLOCK = whenAtLeast "5.13" yes;
|
SECURITY_LANDLOCK = whenAtLeast "5.13" yes;
|
||||||
|
|
||||||
DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem
|
DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem
|
||||||
|
|
||||||
USER_NS = yes; # Support for user namespaces
|
USER_NS = yes; # Support for user namespaces
|
||||||
@ -715,6 +724,10 @@ let
|
|||||||
|
|
||||||
# Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
|
# Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
|
||||||
PAGE_POISONING = yes;
|
PAGE_POISONING = yes;
|
||||||
|
# Randomize page allocator when page_alloc.shuffle=1
|
||||||
|
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
|
||||||
|
|
||||||
|
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
|
||||||
|
|
||||||
# Enable stack smashing protections in schedule()
|
# Enable stack smashing protections in schedule()
|
||||||
# See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
|
# See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
|
||||||
@ -739,6 +752,10 @@ let
|
|||||||
# Mitigate straight line speculation at the cost of some file size
|
# Mitigate straight line speculation at the cost of some file size
|
||||||
SLS = whenBetween "5.17" "6.9" yes;
|
SLS = whenBetween "5.17" "6.9" yes;
|
||||||
MITIGATION_SLS = whenAtLeast "6.9" yes;
|
MITIGATION_SLS = whenAtLeast "6.9" yes;
|
||||||
|
|
||||||
|
DEFAULT_MMAP_MIN_ADDR = freeform "65536";
|
||||||
|
} // optionalAttrs stdenv.hostPlatform.isAarch64 {
|
||||||
|
DEFAULT_MMAP_MIN_ADDR = freeform "32768";
|
||||||
};
|
};
|
||||||
|
|
||||||
microcode = {
|
microcode = {
|
||||||
|
@ -17,9 +17,6 @@ with (lib.kernel.whenHelpers version);
|
|||||||
assert (versionAtLeast version "4.9");
|
assert (versionAtLeast version "4.9");
|
||||||
|
|
||||||
{
|
{
|
||||||
# Report BUG() conditions and kill the offending process.
|
|
||||||
BUG = yes;
|
|
||||||
|
|
||||||
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
||||||
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
||||||
# implicitly marks LSM hooks read-only after init.
|
# implicitly marks LSM hooks read-only after init.
|
||||||
@ -31,8 +28,6 @@ assert (versionAtLeast version "4.9");
|
|||||||
SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
|
SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
|
||||||
SECURITY_WRITABLE_HOOKS = option no;
|
SECURITY_WRITABLE_HOOKS = option no;
|
||||||
|
|
||||||
STRICT_KERNEL_RWX = yes;
|
|
||||||
|
|
||||||
# Perform additional validation of commonly targeted structures.
|
# Perform additional validation of commonly targeted structures.
|
||||||
DEBUG_CREDENTIALS = whenOlder "6.6" yes;
|
DEBUG_CREDENTIALS = whenOlder "6.6" yes;
|
||||||
DEBUG_NOTIFIERS = yes;
|
DEBUG_NOTIFIERS = yes;
|
||||||
@ -51,16 +46,11 @@ assert (versionAtLeast version "4.9");
|
|||||||
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
|
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
|
||||||
CONFIG_LDISC_AUTOLOAD = option no;
|
CONFIG_LDISC_AUTOLOAD = option no;
|
||||||
|
|
||||||
# Randomize page allocator when page_alloc.shuffle=1
|
|
||||||
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
|
|
||||||
|
|
||||||
# Wipe higher-level memory allocations on free() with page_poison=1
|
# Wipe higher-level memory allocations on free() with page_poison=1
|
||||||
PAGE_POISONING = yes;
|
|
||||||
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
|
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
|
||||||
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
|
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
|
||||||
|
|
||||||
# Enable init_on_alloc and init_on_free by default
|
# Enable init_on_free by default
|
||||||
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
|
|
||||||
INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
|
INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
|
||||||
|
|
||||||
# Wipe all caller-used registers on exit from a function
|
# Wipe all caller-used registers on exit from a function
|
||||||
@ -113,9 +103,6 @@ assert (versionAtLeast version "4.9");
|
|||||||
CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
|
CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
|
||||||
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
|
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
|
||||||
|
|
||||||
# Detect out-of-bound reads/writes and use-after-free
|
|
||||||
KFENCE = whenAtLeast "5.12" yes;
|
|
||||||
|
|
||||||
# CONFIG_DEVMEM=n causes these to not exist anymore.
|
# CONFIG_DEVMEM=n causes these to not exist anymore.
|
||||||
STRICT_DEVMEM = option no;
|
STRICT_DEVMEM = option no;
|
||||||
IO_STRICT_DEVMEM = option no;
|
IO_STRICT_DEVMEM = option no;
|
||||||
@ -126,8 +113,4 @@ assert (versionAtLeast version "4.9");
|
|||||||
|
|
||||||
# not needed for less than a decade old glibc versions
|
# not needed for less than a decade old glibc versions
|
||||||
LEGACY_VSYSCALL_NONE = yes;
|
LEGACY_VSYSCALL_NONE = yes;
|
||||||
|
|
||||||
# Straight-Line-Speculation
|
|
||||||
# https://lwn.net/Articles/877845/
|
|
||||||
SLS = option yes;
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user