1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-12-25 03:17:13 +00:00
nixpkgs/pkgs/os-specific/linux/kernel/hardened-config.nix
Matthieu Coudron afa0e02d64 lib.kernel: make public
Remove the "version" parameter in order to make it more widely
available.
Starts making some kernel configuration helpers available.
The intent is to be able to better build and check the linux kernel
configuration.
2019-10-01 15:57:14 +09:00

126 lines
4.6 KiB
Nix

# Based on recommendations from:
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
#
# Dangerous features that can be permanently (for the boot session) disabled at
# boot via sysctl or kernel cmdline are left enabled here, for improved
# flexibility.
#
# See also <nixos/modules/profiles/hardened.nix>
{ stdenv, version }:
with stdenv.lib;
with stdenv.lib.kernel;
assert (versionAtLeast version "4.9");
optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") {
DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory
# Reduce attack surface by disabling various emulations
IA32_EMULATION = no;
X86_X32 = no;
# Note: this config depends on EXPERT y and so will not take effect, hence
# it is left "optional" for now.
MODIFY_LDT_SYSCALL = option no;
VMAP_STACK = yes; # Catch kernel stack overflows
# Randomize position of kernel and memory.
RANDOMIZE_BASE = yes;
RANDOMIZE_MEMORY = yes;
# Disable legacy virtual syscalls by default (modern glibc use vDSO instead).
#
# Note that the vanilla default is to *emulate* the legacy vsyscall mechanism,
# which is supposed to be safer than the native variant (wrt. ret2libc), so
# disabling it mainly helps reduce surface.
LEGACY_VSYSCALL_NONE = yes;
} // {
# Report BUG() conditions and kill the offending process.
BUG = yes;
BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes;
# Safer page access permissions (wrt. code injection). Default on >=4.11.
DEBUG_RODATA = whenOlder "4.11" yes;
DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
# implicitly marks LSM hooks read-only after init.
#
# SELinux can only be disabled at boot via selinux=0
#
# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
# config builder fails to detect that it has indeed been unset.
SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no);
DEBUG_WX = yes; # boot-time warning on RWX mappings
STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;
# Stricter /dev/mem
STRICT_DEVMEM = option yes;
IO_STRICT_DEVMEM = option yes;
# Perform additional validation of commonly targeted structures.
DEBUG_CREDENTIALS = yes;
DEBUG_NOTIFIERS = yes;
DEBUG_LIST = yes;
DEBUG_PI_LIST = yes; # doesn't BUG()
DEBUG_SG = yes;
SCHED_STACK_END_CHECK = yes;
REFCOUNT_FULL = whenAtLeast "4.13" yes;
# Perform usercopy bounds checking.
HARDENED_USERCOPY = yes;
HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement
# Randomize allocator freelists.
SLAB_FREELIST_RANDOM = yes;
SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes;
# Randomize page allocator when page_alloc.shuffle=1
SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
# Allow enabling slub/slab free poisoning with slub_debug=P
SLUB_DEBUG = yes;
# Wipe higher-level memory allocations on free() with page_poison=1
PAGE_POISONING = yes;
PAGE_POISONING_NO_SANITY = yes;
PAGE_POISONING_ZERO = yes;
# Enable the SafeSetId LSM
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
# Reboot devices immediately if kernel experiences an Oops.
PANIC_ON_OOPS = yes;
PANIC_TIMEOUT = freeform "-1";
GCC_PLUGINS = yes; # Enable gcc plugin options
# Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
GCC_PLUGIN_LATENT_ENTROPY = yes;
GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;
# Disable various dangerous settings
ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
PROC_KCORE = no; # Exposes kernel text image layout
INET_DIAG = no; # Has been used for heap based attacks in the past
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
FORTIFY_SOURCE = whenAtLeast "4.13" yes;
}