Commit Graph

28 Commits

Author SHA1 Message Date
Joachim Fasting
c68e8b05f0
Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"
This reverts commit 5dda1324be.

Presumably this was done to work around build errors or something but it
works fine now.
2019-01-05 14:07:21 +01:00
Pierre Bourdon
0f7ca26a48
kernel/hardened-config.nix: add STACKLEAK plugin on 4.20+ 2019-01-04 22:24:50 +01:00
Pierre Bourdon
9dc0d94896
kernel/hardened-config.nix: re-enable GCC plugins 2019-01-04 22:24:50 +01:00
John Ericson
7d85ade0cc treewide: Purge stdenv.platform and top-level platform
Progress towards #27069
2018-08-20 15:22:46 -04:00
Tim Steinbach
9236990057
linux: Init 4.18 2018-08-12 19:42:31 -04:00
Tim Steinbach
a4d56d0635
linux-hardened: Adjust config for 4.17.4 2018-07-03 08:35:37 -04:00
Tim Steinbach
4f3ba3b1f8
linux-hardened: Adjust for Linux 4.17 2018-06-29 08:37:25 -04:00
Joachim Fasting
33615ccfa5
linux_hardened: enforce usercopy whitelisting
The default is to warn only
2018-04-29 12:17:24 +02:00
Tim Steinbach
eb0ecd7eba
linux-copperhead: 4.14.12.a -> 4.14.13.a 2018-01-11 08:30:19 -05:00
Franz Pletz
ccb0ba56ef
linux_hardended: enable gcc latent entropy plugin 2018-01-04 05:02:39 +01:00
Joachim Fasting
870c86d0ee
linux_hardened: structleak covers structs passed by address 2017-11-15 22:10:50 +01:00
Joachim Fasting
8ecae36963
linux_hardened: enable slab freelist hardening 2017-11-15 22:10:44 +01:00
Tim Steinbach
5dda1324be
linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT 2017-10-11 13:50:20 -04:00
Jan Malakhovski
62fa45eac5
linuxPackages: hardened-config: enable DEBUG_PI_LIST 2017-09-16 13:14:05 +02:00
Jan Malakhovski
c345761c13
linuxPackages: hardened-config: check kernelArch, not system 2017-09-16 13:14:04 +02:00
Jan Malakhovski
616a7fe237
linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION for older kernels
They don't support it.
2017-09-16 13:14:03 +02:00
Joachim Fasting
dd170cd5df
hardened-config: build with fortify source 2017-09-16 00:31:25 +02:00
Joachim Fasting
9a763f8f59
hardened-config: enable the randstruct plugin 2017-09-16 00:31:23 +02:00
Joachim Fasting
edd0d2f2e9
hardened-config: additional refcount checking 2017-09-16 00:31:17 +02:00
Joachim Fasting
345e0e6794
hardened-config: enable read-only LSM hooks
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
2017-08-11 23:27:58 +02:00
Joachim Fasting
f963014829
linux-hardened-config: various fixups
Note
- the kernel config parser ignores "# foo is unset" comments so they
  have no effect; disabling kernel modules would break *everything* and so
  is ill-suited for a general-purpose kernel anyway --- the hardened nixos
  profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
  YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
  the build; fix by making it optional
- restored some original comments which I feel are clearer
2017-08-06 23:38:07 +02:00
Tim Steinbach
ff10bafd00
linux: Expand hardened config
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2017-08-06 09:58:02 -04:00
Joachim Fasting
77ed860114
linux_hardened: enable checks on scatter-gather tables
Recommended by kspp
2017-05-18 12:33:42 +02:00
Joachim Fasting
996b65cfba
linux_hardened: enable structleak plugin
A port of the PaX structleak plugin.  Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
2017-05-09 01:38:26 +02:00
Joachim Fasting
1816e2b960
linux_hardened: BUG on struct validation failure 2017-05-09 01:38:24 +02:00
Joachim Fasting
a7ecdffc28
linux_hardened: move to 4.11
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
2017-05-09 01:38:22 +02:00
Joachim Fasting
42c58cd2e8
linux_hardened: compile with stackprotector-strong
Default is regular, which we need to unset for kconfig to accept the new
value.
2017-05-09 01:38:21 +02:00
Joachim Fasting
62f2a1c2be
linux_hardened: init
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
2017-04-30 12:05:39 +02:00