2017-04-29 19:42:02 +01:00
|
|
|
# Based on recommendations from:
|
|
|
|
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
|
|
|
|
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
|
|
|
|
#
|
|
|
|
# Dangerous features that can be permanently (for the boot session) disabled at
|
|
|
|
# boot via sysctl or kernel cmdline are left enabled here, for improved
|
|
|
|
# flexibility.
|
2017-08-06 19:27:52 +01:00
|
|
|
#
|
|
|
|
# See also <nixos/modules/profiles/hardened.nix>
|
2017-04-29 19:42:02 +01:00
|
|
|
|
2017-05-06 18:02:16 +01:00
|
|
|
{ stdenv, version }:
|
2017-04-29 19:42:02 +01:00
|
|
|
|
|
|
|
with stdenv.lib;
|
|
|
|
|
2017-05-06 18:02:16 +01:00
|
|
|
assert (versionAtLeast version "4.9");
|
|
|
|
|
2017-04-29 19:42:02 +01:00
|
|
|
''
|
2017-08-05 20:38:17 +01:00
|
|
|
# Report BUG() conditions and kill the offending process.
|
|
|
|
BUG y
|
|
|
|
|
2017-09-15 22:07:33 +01:00
|
|
|
${optionalString (versionAtLeast version "4.10") ''
|
|
|
|
BUG_ON_DATA_CORRUPTION y
|
|
|
|
''}
|
|
|
|
|
2018-08-20 20:18:07 +01:00
|
|
|
${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") ''
|
2017-08-05 20:38:17 +01:00
|
|
|
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
|
|
|
|
|
|
|
|
# Reduce attack surface by disabling various emulations
|
|
|
|
IA32_EMULATION n
|
|
|
|
X86_X32 n
|
2019-01-05 12:24:54 +00:00
|
|
|
# Note: this config depends on EXPERT y and so will not take effect, hence
|
|
|
|
# it is left "optional" for now.
|
|
|
|
MODIFY_LDT_SYSCALL? n
|
2017-08-05 20:38:17 +01:00
|
|
|
|
|
|
|
VMAP_STACK y # Catch kernel stack overflows
|
|
|
|
|
|
|
|
# Randomize position of kernel and memory.
|
|
|
|
RANDOMIZE_BASE y
|
|
|
|
RANDOMIZE_MEMORY y
|
|
|
|
|
2017-08-06 19:27:52 +01:00
|
|
|
# Disable legacy virtual syscalls by default (modern glibc use vDSO instead).
|
|
|
|
#
|
|
|
|
# Note that the vanilla default is to *emulate* the legacy vsyscall mechanism,
|
|
|
|
# which is supposed to be safer than the native variant (wrt. ret2libc), so
|
|
|
|
# disabling it mainly helps reduce surface.
|
2017-08-05 20:38:17 +01:00
|
|
|
LEGACY_VSYSCALL_NONE y
|
|
|
|
''}
|
|
|
|
|
2017-08-06 19:27:52 +01:00
|
|
|
# Safer page access permissions (wrt. code injection). Default on >=4.11.
|
2017-08-05 20:38:17 +01:00
|
|
|
${optionalString (versionOlder version "4.11") ''
|
|
|
|
DEBUG_RODATA y
|
|
|
|
DEBUG_SET_MODULE_RONX y
|
|
|
|
''}
|
2017-04-29 19:42:02 +01:00
|
|
|
|
2019-01-05 12:20:09 +00:00
|
|
|
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
|
|
|
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
|
|
|
# implicitly marks LSM hooks read-only after init.
|
|
|
|
#
|
|
|
|
# SELinux can only be disabled at boot via selinux=0
|
|
|
|
#
|
|
|
|
# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
|
|
|
|
# config builder fails to detect that it has indeed been unset.
|
2017-08-11 22:25:30 +01:00
|
|
|
${optionalString (versionAtLeast version "4.12") ''
|
|
|
|
SECURITY_SELINUX_DISABLE n
|
2019-01-05 12:20:09 +00:00
|
|
|
SECURITY_WRITABLE_HOOKS? n
|
2017-08-11 22:25:30 +01:00
|
|
|
''}
|
|
|
|
|
2017-08-06 19:27:52 +01:00
|
|
|
DEBUG_WX y # boot-time warning on RWX mappings
|
2019-01-05 12:43:42 +00:00
|
|
|
${optionalString (versionAtLeast version "4.11") ''
|
|
|
|
STRICT_KERNEL_RWX y
|
|
|
|
''}
|
2017-04-29 19:42:02 +01:00
|
|
|
|
2017-08-06 19:27:52 +01:00
|
|
|
# Stricter /dev/mem
|
2018-01-11 13:30:19 +00:00
|
|
|
STRICT_DEVMEM? y
|
|
|
|
IO_STRICT_DEVMEM? y
|
2017-05-02 15:21:26 +01:00
|
|
|
|
2017-08-06 19:27:52 +01:00
|
|
|
# Perform additional validation of commonly targeted structures.
|
2017-04-29 19:42:02 +01:00
|
|
|
DEBUG_CREDENTIALS y
|
|
|
|
DEBUG_NOTIFIERS y
|
|
|
|
DEBUG_LIST y
|
2017-09-15 22:07:51 +01:00
|
|
|
DEBUG_PI_LIST y # doesn't BUG()
|
2017-05-12 17:33:19 +01:00
|
|
|
DEBUG_SG y
|
2017-08-05 20:38:17 +01:00
|
|
|
SCHED_STACK_END_CHECK y
|
2017-04-29 19:42:02 +01:00
|
|
|
|
2017-09-15 23:20:41 +01:00
|
|
|
${optionalString (versionAtLeast version "4.13") ''
|
|
|
|
REFCOUNT_FULL y
|
|
|
|
''}
|
|
|
|
|
2017-08-05 20:38:17 +01:00
|
|
|
# Perform usercopy bounds checking.
|
|
|
|
HARDENED_USERCOPY y
|
2018-04-29 11:00:16 +01:00
|
|
|
${optionalString (versionAtLeast version "4.16") ''
|
2019-01-05 12:44:33 +00:00
|
|
|
HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement
|
2018-04-29 11:00:16 +01:00
|
|
|
''}
|
2017-08-05 20:38:17 +01:00
|
|
|
|
|
|
|
# Randomize allocator freelists.
|
|
|
|
SLAB_FREELIST_RANDOM y
|
|
|
|
|
2017-11-15 20:39:13 +00:00
|
|
|
${optionalString (versionAtLeast version "4.14") ''
|
|
|
|
SLAB_FREELIST_HARDENED y
|
|
|
|
''}
|
|
|
|
|
2019-01-05 12:44:54 +00:00
|
|
|
# Allow enabling slub/slab free poisoning with slub_debug=P
|
|
|
|
SLUB_DEBUG y
|
|
|
|
|
2017-08-06 19:27:52 +01:00
|
|
|
# Wipe higher-level memory allocations on free() with page_poison=1
|
2017-04-29 19:42:02 +01:00
|
|
|
PAGE_POISONING y
|
|
|
|
PAGE_POISONING_NO_SANITY y
|
|
|
|
PAGE_POISONING_ZERO y
|
|
|
|
|
2017-08-05 20:38:17 +01:00
|
|
|
# Reboot devices immediately if kernel experiences an Oops.
|
|
|
|
PANIC_ON_OOPS y
|
|
|
|
PANIC_TIMEOUT -1
|
2017-05-05 10:55:39 +01:00
|
|
|
|
2019-01-04 01:07:53 +00:00
|
|
|
GCC_PLUGINS y # Enable gcc plugin options
|
|
|
|
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
|
|
|
|
GCC_PLUGIN_LATENT_ENTROPY y
|
2017-04-29 19:42:02 +01:00
|
|
|
|
2019-01-04 01:07:53 +00:00
|
|
|
${optionalString (versionAtLeast version "4.11") ''
|
|
|
|
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
|
|
|
|
''}
|
|
|
|
${optionalString (versionAtLeast version "4.14") ''
|
|
|
|
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
|
2017-11-15 20:39:50 +00:00
|
|
|
''}
|
2019-01-04 01:08:49 +00:00
|
|
|
${optionalString (versionAtLeast version "4.20") ''
|
|
|
|
GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
|
|
|
|
''}
|
2017-08-06 19:27:52 +01:00
|
|
|
|
2017-04-29 19:42:02 +01:00
|
|
|
# Disable various dangerous settings
|
|
|
|
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
|
|
|
|
PROC_KCORE n # Exposes kernel text image layout
|
|
|
|
INET_DIAG n # Has been used for heap based attacks in the past
|
|
|
|
|
2017-08-05 20:38:17 +01:00
|
|
|
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
|
2018-08-13 00:42:11 +01:00
|
|
|
${optionalString (versionOlder version "4.18") ''
|
|
|
|
CC_STACKPROTECTOR_REGULAR n
|
|
|
|
CC_STACKPROTECTOR_STRONG y
|
|
|
|
''}
|
2017-09-15 23:20:59 +01:00
|
|
|
|
|
|
|
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
|
|
|
|
${optionalString (versionAtLeast version "4.13") ''
|
|
|
|
FORTIFY_SOURCE y
|
|
|
|
''}
|
2017-04-29 19:42:02 +01:00
|
|
|
''
|