3
0
Fork 0
forked from mirrors/nixpkgs

linux_hardened: move to 4.11

Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
This commit is contained in:
Joachim Fasting 2017-05-06 19:02:16 +02:00
parent 42c58cd2e8
commit a7ecdffc28
No known key found for this signature in database
GPG key ID: 7544761007FE4E08
2 changed files with 5 additions and 7 deletions

View file

@ -2,22 +2,19 @@
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
#
# The base kernel is assumed to be at least 4.9 or whatever the toplevel
# linux_hardened package expression uses.
#
# Dangerous features that can be permanently (for the boot session) disabled at
# boot via sysctl or kernel cmdline are left enabled here, for improved
# flexibility.
{ stdenv }:
{ stdenv, version }:
with stdenv.lib;
assert (versionAtLeast version "4.9");
''
GCC_PLUGINS y # Enable gcc plugin options
DEBUG_KERNEL y
DEBUG_RODATA y # Make kernel text & rodata read-only
DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
# Additional validation of commonly targetted structures

View file

@ -11995,9 +11995,10 @@ with pkgs;
linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
# Hardened linux
linux_hardened = linux_4_9.override {
linux_hardened = let linux = pkgs.linux_4_11; in linux.override {
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
inherit stdenv;
inherit (linux) version;
};
};