From a7ecdffc281f847e8addabee216a1b424998b130 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 6 May 2017 19:02:16 +0200 Subject: [PATCH] linux_hardened: move to 4.11 Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX & STRICT_MODULE_RWX, which are on by default (non-optional). --- pkgs/os-specific/linux/kernel/hardened-config.nix | 9 +++------ pkgs/top-level/all-packages.nix | 3 ++- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index c54ee0e5aff1..78fb1e368be7 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -2,22 +2,19 @@ # http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings # https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project # -# The base kernel is assumed to be at least 4.9 or whatever the toplevel -# linux_hardened package expression uses. -# # Dangerous features that can be permanently (for the boot session) disabled at # boot via sysctl or kernel cmdline are left enabled here, for improved # flexibility. -{ stdenv }: +{ stdenv, version }: with stdenv.lib; +assert (versionAtLeast version "4.9"); + '' GCC_PLUGINS y # Enable gcc plugin options -DEBUG_KERNEL y -DEBUG_RODATA y # Make kernel text & rodata read-only DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning # Additional validation of commonly targetted structures diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b2540cbe2060..e9741abcb5fa 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11995,9 +11995,10 @@ with pkgs; linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; })); # Hardened linux - linux_hardened = linux_4_9.override { + linux_hardened = let linux = pkgs.linux_4_11; in linux.override { extraConfig = import ../os-specific/linux/kernel/hardened-config.nix { inherit stdenv; + inherit (linux) version; }; };