mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-11 16:23:26 +00:00
Merge pull request #300815 from amarshall/linux-common-hardening
linux: set various common hardening config
This commit is contained in:
commit
93fb179750
@ -47,6 +47,9 @@ in mapAttrs (_: lP: testsForLinuxPackages lP) kernels // {
|
||||
passthru = {
|
||||
inherit testsForLinuxPackages;
|
||||
|
||||
# Useful for development testing of all Kernel configs without building full Kernel
|
||||
configfiles = mapAttrs (_: lP: lP.kernel.configfile) kernels;
|
||||
|
||||
testsForKernel = kernel: testsForLinuxPackages (pkgs.linuxPackagesFor kernel);
|
||||
};
|
||||
}
|
||||
|
@ -667,20 +667,29 @@ let
|
||||
};
|
||||
|
||||
security = {
|
||||
# Report BUG() conditions and kill the offending process.
|
||||
BUG = yes;
|
||||
BUG_ON_DATA_CORRUPTION = yes;
|
||||
|
||||
FORTIFY_SOURCE = option yes;
|
||||
|
||||
# https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
|
||||
DEBUG_LIST = yes;
|
||||
|
||||
HARDENED_USERCOPY = yes;
|
||||
RANDOMIZE_BASE = option yes;
|
||||
STRICT_KERNEL_RWX = yes;
|
||||
STRICT_MODULE_RWX = yes;
|
||||
STRICT_DEVMEM = mkDefault yes; # Filter access to /dev/mem
|
||||
IO_STRICT_DEVMEM = mkDefault yes;
|
||||
SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
|
||||
|
||||
# Prevent processes from ptracing non-children processes
|
||||
SECURITY_YAMA = option yes;
|
||||
# The goal of Landlock is to enable to restrict ambient rights (e.g. global filesystem access) for a set of processes.
|
||||
# This does not have any effect if a program does not support it
|
||||
SECURITY_LANDLOCK = whenAtLeast "5.13" yes;
|
||||
|
||||
DEVKMEM = whenOlder "5.13" no; # Disable /dev/kmem
|
||||
|
||||
USER_NS = yes; # Support for user namespaces
|
||||
@ -715,6 +724,10 @@ let
|
||||
|
||||
# Enable support for page poisoning. Still needs to be enabled on the command line to actually work.
|
||||
PAGE_POISONING = yes;
|
||||
# Randomize page allocator when page_alloc.shuffle=1
|
||||
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
|
||||
|
||||
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
|
||||
|
||||
# Enable stack smashing protections in schedule()
|
||||
# See: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v4.8&id=0d9e26329b0c9263d4d9e0422d80a0e73268c52f
|
||||
@ -739,6 +752,10 @@ let
|
||||
# Mitigate straight line speculation at the cost of some file size
|
||||
SLS = whenBetween "5.17" "6.9" yes;
|
||||
MITIGATION_SLS = whenAtLeast "6.9" yes;
|
||||
|
||||
DEFAULT_MMAP_MIN_ADDR = freeform "65536";
|
||||
} // optionalAttrs stdenv.hostPlatform.isAarch64 {
|
||||
DEFAULT_MMAP_MIN_ADDR = freeform "32768";
|
||||
};
|
||||
|
||||
microcode = {
|
||||
|
@ -17,9 +17,6 @@ with (lib.kernel.whenHelpers version);
|
||||
assert (versionAtLeast version "4.9");
|
||||
|
||||
{
|
||||
# Report BUG() conditions and kill the offending process.
|
||||
BUG = yes;
|
||||
|
||||
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
||||
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
||||
# implicitly marks LSM hooks read-only after init.
|
||||
@ -31,8 +28,6 @@ assert (versionAtLeast version "4.9");
|
||||
SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
|
||||
SECURITY_WRITABLE_HOOKS = option no;
|
||||
|
||||
STRICT_KERNEL_RWX = yes;
|
||||
|
||||
# Perform additional validation of commonly targeted structures.
|
||||
DEBUG_CREDENTIALS = whenOlder "6.6" yes;
|
||||
DEBUG_NOTIFIERS = yes;
|
||||
@ -51,16 +46,11 @@ assert (versionAtLeast version "4.9");
|
||||
# restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
|
||||
CONFIG_LDISC_AUTOLOAD = option no;
|
||||
|
||||
# Randomize page allocator when page_alloc.shuffle=1
|
||||
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
|
||||
|
||||
# Wipe higher-level memory allocations on free() with page_poison=1
|
||||
PAGE_POISONING = yes;
|
||||
PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
|
||||
PAGE_POISONING_ZERO = whenOlder "5.11" yes;
|
||||
|
||||
# Enable init_on_alloc and init_on_free by default
|
||||
INIT_ON_ALLOC_DEFAULT_ON = whenAtLeast "5.3" yes;
|
||||
# Enable init_on_free by default
|
||||
INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
|
||||
|
||||
# Wipe all caller-used registers on exit from a function
|
||||
@ -113,9 +103,6 @@ assert (versionAtLeast version "4.9");
|
||||
CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
|
||||
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
|
||||
|
||||
# Detect out-of-bound reads/writes and use-after-free
|
||||
KFENCE = whenAtLeast "5.12" yes;
|
||||
|
||||
# CONFIG_DEVMEM=n causes these to not exist anymore.
|
||||
STRICT_DEVMEM = option no;
|
||||
IO_STRICT_DEVMEM = option no;
|
||||
@ -126,8 +113,4 @@ assert (versionAtLeast version "4.9");
|
||||
|
||||
# not needed for less than a decade old glibc versions
|
||||
LEGACY_VSYSCALL_NONE = yes;
|
||||
|
||||
# Straight-Line-Speculation
|
||||
# https://lwn.net/Articles/877845/
|
||||
SLS = option yes;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user