3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

56 commits

Author SHA1 Message Date
Emily 7fdfe5381d linux_*_hardened: don't set FORTIFY_SOURCE
Upstreamed in anthraxx/linux-hardened@d12c0d5f0c.
2020-04-17 16:13:39 +01:00
Emily ed89b5b3f1 linux_*_hardened: don't set PANIC_ON_OOPS
Upstreamed in anthraxx/linux-hardened@366e0216f1.
2020-04-17 16:13:39 +01:00
Emily 0d5f1697b7 linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED}
Upstreamed in anthraxx/linux-hardened@786126f177,
anthraxx/linux-hardened@44822ebeb7.
2020-04-17 16:13:39 +01:00
Emily 4fb796e341 linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK
Upstreamed in anthraxx/linux-hardened@c1fe7a68e3,
anthraxx/linux-hardened@2c553a2bb1.
2020-04-17 16:13:39 +01:00
Emily 3eeb5240ac linux_*_hardened: don't set DEBUG_LIST
Upstreamed in anthraxx/linux-hardened@6b20124185.
2020-04-17 16:13:39 +01:00
Emily 0611462e33 linux_*_hardened: don't set {,IO_}STRICT_DEVMEM
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is
turned on by anthraxx/linux-hardened@103d23cb66.

Note that anthraxx/linux-hardened@db1d27e10e
disables DEVMEM by default, so this is only relevant if that default is
overridden to turn it back on.
2020-04-17 16:13:39 +01:00
Emily 303bb60fb1 linux_*_hardened: don't set DEBUG_WX
Upstreamed in anthraxx/linux-hardened@55ee7417f3.
2020-04-17 16:13:39 +01:00
Emily 33b94e5a44 linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION
Upstreamed in anthraxx/linux-hardened@3fcd15014c.
2020-04-17 16:13:39 +01:00
Emily db6b327508 linux_*_hardened: don't set LEGACY_VSYSCALL_NONE
Upstreamed in anthraxx/linux-hardened@d300b0fdad.
2020-04-17 16:13:39 +01:00
Emily 130f6812be linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY}
These are on by default for x86 in upstream linux-5.6.2, and turned on
for arm64 by anthraxx/linux-hardened@90f9670bc3.
2020-04-17 16:13:39 +01:00
Emily 8c68055432 linux_*_hardened: don't set MODIFY_LDT_SYSCALL
Upstreamed in anthraxx/linux-hardened@05644876fa.
2020-04-17 16:13:39 +01:00
Emily 8efe83c22e linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR
Upstreamed in anthraxx/linux-hardened@f1fe0a64dd.
2020-04-17 16:13:39 +01:00
Emily 3d4c8ae901 linux_*_hardened: don't set VMAP_STACK
This has been on by default upstream for as long as it's been an option.
2020-04-17 16:13:39 +01:00
Emily 7d5352df31 linux_*_hardened: don't set X86_X32
As far as I can tell, this has never defaulted to on upstream, and our
common kernel configuration doesn't turn it on, so the attack surface
reduction here is somewhat homeopathic.
2020-04-17 16:13:39 +01:00
Graham Christensen 244178e166
Merge pull request #82006 from emilazy/enable-linux-hardened-ia32-emulation
linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation
2020-03-14 09:20:58 -04:00
Emily b628400f5e linuxPackages_{,_latest,_testing}_hardened: enable 32-bit emulation
Per discussion in #81943.

Resolves #79798.
2020-03-07 18:50:40 +00:00
Matthieu Coudron a4fe469d39 lib.kernel: scoped whenXXX helpers
whenAtLeast/whenBetween are made available in lib/kernel.nix but are now
scoped under whenXXX.
2019-10-01 16:09:07 +09:00
Matthieu Coudron afa0e02d64 lib.kernel: make public
Remove the "version" parameter in order to make it more widely
available.
Starts making some kernel configuration helpers available.
The intent is to be able to better build and check the linux kernel
configuration.
2019-10-01 15:57:14 +09:00
Joachim Fasting 44d541078f
linux-hardened: enable page alloc randomization
New in 5.2
2019-08-15 18:43:31 +02:00
Joachim Fasting 87bc514620
hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
2019-05-07 13:39:24 +02:00
Matthieu Coudron 7aacbdb898 linux: convert hardened-config to a structured one 2019-01-28 09:07:24 +09:00
Pierre Bourdon b26c824da3
Revert "Revert "Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"""
The issue with out-of-tree modules has been addressed and the feature
should now be good to re-enable again.

This reverts commit 865f7a14b4.
2019-01-11 12:35:16 +01:00
Joachim Fasting 865f7a14b4
Revert "Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT""
This reverts commit c68e8b05f0.

RANDSTRUCT currently fails to work with out-of-tree modules, as
evinced by
c68e8b05f0 (commitcomment-31850284)
and https://github.com/NixOS/nixpkgs/issues/53522.

Specifically, loading out-of-tree modules results in modsym version
mismatches, as in
   spl: version magic '4.20.0 SMP mod_unload modversions RANDSTRUCT_PLUGIN
from the issue above.

A working hypothesis is that the randstruct seed is not carried over when
building out-of-tree modules but more investigation is needed here.

Closes https://github.com/NixOS/nixpkgs/issues/53522
2019-01-07 19:50:12 +01:00
Joachim Fasting d62086e6fc
hardened-config: allow slub/slab free poisoning 2019-01-05 14:07:36 +01:00
Joachim Fasting 11840f5c70
hardened-config: explain HARDENED_USERCOPY_FALLBACK n 2019-01-05 14:07:36 +01:00
Joachim Fasting dfd77a046d
hardened-config: ensure STRICT_KERNEL_RWX
This is y in the default config, but enable it explicitly here to catch
situations where it has been disabled (explicitly or implicitly).
2019-01-05 14:07:35 +01:00
Joachim Fasting 1801aad7b8
hardened-config: clarify MODIFY_LDT_SYSCALL
This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
EXPERT however seems to introduce quite a few changes that would need to be
properly vetted.

The version guard is unnecessary, however, as this config has been supported
since 4.3.
2019-01-05 14:07:34 +01:00
Joachim Fasting abc8ed3fca
hardened-config: clarify readonly LSM hooks config
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
explicitly unsetting results in an error because the configfile builder fails
to detect that it has in fact been unset (reporting it as an unused option).
For now, leave WRITABLE_HOOKS as an "optional" config for documentation
purposes.
2019-01-05 14:07:33 +01:00
Joachim Fasting c68e8b05f0
Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"
This reverts commit 5dda1324be.

Presumably this was done to work around build errors or something but it
works fine now.
2019-01-05 14:07:21 +01:00
Pierre Bourdon 0f7ca26a48
kernel/hardened-config.nix: add STACKLEAK plugin on 4.20+ 2019-01-04 22:24:50 +01:00
Pierre Bourdon 9dc0d94896
kernel/hardened-config.nix: re-enable GCC plugins 2019-01-04 22:24:50 +01:00
John Ericson 7d85ade0cc treewide: Purge stdenv.platform and top-level platform
Progress towards #27069
2018-08-20 15:22:46 -04:00
Tim Steinbach 9236990057
linux: Init 4.18 2018-08-12 19:42:31 -04:00
Tim Steinbach a4d56d0635
linux-hardened: Adjust config for 4.17.4 2018-07-03 08:35:37 -04:00
Tim Steinbach 4f3ba3b1f8
linux-hardened: Adjust for Linux 4.17 2018-06-29 08:37:25 -04:00
Joachim Fasting 33615ccfa5
linux_hardened: enforce usercopy whitelisting
The default is to warn only
2018-04-29 12:17:24 +02:00
Tim Steinbach eb0ecd7eba
linux-copperhead: 4.14.12.a -> 4.14.13.a 2018-01-11 08:30:19 -05:00
Franz Pletz ccb0ba56ef
linux_hardended: enable gcc latent entropy plugin 2018-01-04 05:02:39 +01:00
Joachim Fasting 870c86d0ee
linux_hardened: structleak covers structs passed by address 2017-11-15 22:10:50 +01:00
Joachim Fasting 8ecae36963
linux_hardened: enable slab freelist hardening 2017-11-15 22:10:44 +01:00
Tim Steinbach 5dda1324be
linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT 2017-10-11 13:50:20 -04:00
Jan Malakhovski 62fa45eac5
linuxPackages: hardened-config: enable DEBUG_PI_LIST 2017-09-16 13:14:05 +02:00
Jan Malakhovski c345761c13
linuxPackages: hardened-config: check kernelArch, not system 2017-09-16 13:14:04 +02:00
Jan Malakhovski 616a7fe237
linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION for older kernels
They don't support it.
2017-09-16 13:14:03 +02:00
Joachim Fasting dd170cd5df
hardened-config: build with fortify source 2017-09-16 00:31:25 +02:00
Joachim Fasting 9a763f8f59
hardened-config: enable the randstruct plugin 2017-09-16 00:31:23 +02:00
Joachim Fasting edd0d2f2e9
hardened-config: additional refcount checking 2017-09-16 00:31:17 +02:00
Joachim Fasting 345e0e6794
hardened-config: enable read-only LSM hooks
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
2017-08-11 23:27:58 +02:00
Joachim Fasting f963014829
linux-hardened-config: various fixups
Note
- the kernel config parser ignores "# foo is unset" comments so they
  have no effect; disabling kernel modules would break *everything* and so
  is ill-suited for a general-purpose kernel anyway --- the hardened nixos
  profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
  YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
  the build; fix by making it optional
- restored some original comments which I feel are clearer
2017-08-06 23:38:07 +02:00
Tim Steinbach ff10bafd00
linux: Expand hardened config
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2017-08-06 09:58:02 -04:00