1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-30 09:31:01 +00:00
nixpkgs/pkgs/os-specific/linux/kernel/hardened-config.nix
Joachim Fasting 87bc514620
hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
2019-05-07 13:39:24 +02:00

124 lines
4.6 KiB
Nix

# Based on recommendations from:
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
#
# Dangerous features that can be permanently (for the boot session) disabled at
# boot via sysctl or kernel cmdline are left enabled here, for improved
# flexibility.
#
# See also <nixos/modules/profiles/hardened.nix>
{ stdenv, version }:
with stdenv.lib;
with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; };
assert (versionAtLeast version "4.9");
optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") {
DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory
# Reduce attack surface by disabling various emulations
IA32_EMULATION = no;
X86_X32 = no;
# Note: this config depends on EXPERT y and so will not take effect, hence
# it is left "optional" for now.
MODIFY_LDT_SYSCALL = option no;
VMAP_STACK = yes; # Catch kernel stack overflows
# Randomize position of kernel and memory.
RANDOMIZE_BASE = yes;
RANDOMIZE_MEMORY = yes;
# Disable legacy virtual syscalls by default (modern glibc use vDSO instead).
#
# Note that the vanilla default is to *emulate* the legacy vsyscall mechanism,
# which is supposed to be safer than the native variant (wrt. ret2libc), so
# disabling it mainly helps reduce surface.
LEGACY_VSYSCALL_NONE = yes;
} // {
# Report BUG() conditions and kill the offending process.
BUG = yes;
BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes;
# Safer page access permissions (wrt. code injection). Default on >=4.11.
DEBUG_RODATA = whenOlder "4.11" yes;
DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
# implicitly marks LSM hooks read-only after init.
#
# SELinux can only be disabled at boot via selinux=0
#
# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
# config builder fails to detect that it has indeed been unset.
SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no);
DEBUG_WX = yes; # boot-time warning on RWX mappings
STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;
# Stricter /dev/mem
STRICT_DEVMEM = option yes;
IO_STRICT_DEVMEM = option yes;
# Perform additional validation of commonly targeted structures.
DEBUG_CREDENTIALS = yes;
DEBUG_NOTIFIERS = yes;
DEBUG_LIST = yes;
DEBUG_PI_LIST = yes; # doesn't BUG()
DEBUG_SG = yes;
SCHED_STACK_END_CHECK = yes;
REFCOUNT_FULL = whenAtLeast "4.13" yes;
# Perform usercopy bounds checking.
HARDENED_USERCOPY = yes;
HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement
# Randomize allocator freelists.
SLAB_FREELIST_RANDOM = yes;
SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes;
# Allow enabling slub/slab free poisoning with slub_debug=P
SLUB_DEBUG = yes;
# Wipe higher-level memory allocations on free() with page_poison=1
PAGE_POISONING = yes;
PAGE_POISONING_NO_SANITY = yes;
PAGE_POISONING_ZERO = yes;
# Enable the SafeSetId LSM
SECURITY_SAFESETID = whenAtLeast "5.1" yes;
# Reboot devices immediately if kernel experiences an Oops.
PANIC_ON_OOPS = yes;
PANIC_TIMEOUT = freeform "-1";
GCC_PLUGINS = yes; # Enable gcc plugin options
# Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
GCC_PLUGIN_LATENT_ENTROPY = yes;
GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;
# Disable various dangerous settings
ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
PROC_KCORE = no; # Exposes kernel text image layout
INET_DIAG = no; # Has been used for heap based attacks in the past
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
FORTIFY_SOURCE = whenAtLeast "4.13" yes;
}