forked from mirrors/nixpkgs
linux_hardened: move to 4.11
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX & STRICT_MODULE_RWX, which are on by default (non-optional).
This commit is contained in:
parent
42c58cd2e8
commit
a7ecdffc28
|
@ -2,22 +2,19 @@
|
|||
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
|
||||
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
|
||||
#
|
||||
# The base kernel is assumed to be at least 4.9 or whatever the toplevel
|
||||
# linux_hardened package expression uses.
|
||||
#
|
||||
# Dangerous features that can be permanently (for the boot session) disabled at
|
||||
# boot via sysctl or kernel cmdline are left enabled here, for improved
|
||||
# flexibility.
|
||||
|
||||
{ stdenv }:
|
||||
{ stdenv, version }:
|
||||
|
||||
with stdenv.lib;
|
||||
|
||||
assert (versionAtLeast version "4.9");
|
||||
|
||||
''
|
||||
GCC_PLUGINS y # Enable gcc plugin options
|
||||
|
||||
DEBUG_KERNEL y
|
||||
DEBUG_RODATA y # Make kernel text & rodata read-only
|
||||
DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
|
||||
|
||||
# Additional validation of commonly targetted structures
|
||||
|
|
|
@ -11995,9 +11995,10 @@ with pkgs;
|
|||
linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
|
||||
|
||||
# Hardened linux
|
||||
linux_hardened = linux_4_9.override {
|
||||
linux_hardened = let linux = pkgs.linux_4_11; in linux.override {
|
||||
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
||||
inherit stdenv;
|
||||
inherit (linux) version;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue