diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-29 20:42:02 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-30 12:05:39 +0200 |
| commit | 62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9 (patch) | |
| tree | d6050a511f052f6af5a52e389071d79025fe2d12 | |
| parent | 6a5a5728ee8225e0e7272de7ad6c63ca5986cb84 (diff) | |
| download | nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.tar nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.tar.gz nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.tar.bz2 nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.tar.lz nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.tar.xz nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.tar.zst nixlib-62f2a1c2be9f6308ed21aaeed9aa0afbc3a93fc9.zip | |
linux_hardened: init
The rationale for this is to have a place to enable hardening features that are either too invasive or that may be speculative/yet proven to be worthwhile for general-purpose kernels.
| -rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 54 | ||||
| -rw-r--r-- | pkgs/top-level/all-packages.nix | 10 |
2 files changed, 64 insertions, 0 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix new file mode 100644 index 000000000000..a85725d70e1f --- /dev/null +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -0,0 +1,54 @@ +# Based on recommendations from: +# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings +# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project +# +# The base kernel is assumed to be at least 4.9 or whatever the toplevel +# linux_hardened package expression uses. +# +# Dangerous features that can be permanently (for the boot session) disabled at +# boot via sysctl or kernel cmdline are left enabled here, for improved +# flexibility. + +{ stdenv }: + +with stdenv.lib; + +'' +GCC_PLUGINS y # Enable gcc plugin options + +DEBUG_KERNEL y +DEBUG_RODATA y # Make kernel text & rodata read-only +DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning + +# Additional validation of commonly targetted structures +DEBUG_CREDENTIALS y +DEBUG_NOTIFIERS y +DEBUG_LIST y + +HARDENED_USERCOPY y # Bounds check usercopy + +# Wipe on free with page_poison=1 +PAGE_POISONING y +PAGE_POISONING_NO_SANITY y +PAGE_POISONING_ZERO y + +# Stricter /dev/mem +STRICT_DEVMEM y +IO_STRICT_DEVMEM y + +# Disable various dangerous settings +ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory +PROC_KCORE n # Exposes kernel text image layout +INET_DIAG n # Has been used for heap based attacks in the past + +${optionalString (stdenv.system == "x86_64-linux") '' + DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory + + # Reduce attack surface by disabling various emulations + IA32_EMULATION n + X86_X32 n + + VMAP_STACK y # Catch kernel stack overflows +''} + +'' diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index f3d6104166bb..01a862c6c835 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11905,6 +11905,16 @@ with pkgs; # Build a kernel for Xen dom0 linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; })); + # Hardened linux + linux_hardened = linux_4_9.override { + extraConfig = import ../os-specific/linux/kernel/hardened-config.nix { + inherit stdenv; + }; + }; + + linuxPackages_hardened = + recurseIntoAttrs (linuxPackagesFor linux_hardened); + # Grsecurity packages linux_grsec_nixos = kernelPatches.grsecurity_testing; |