diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-05-06 19:02:16 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-05-09 01:38:22 +0200 |
commit | a7ecdffc281f847e8addabee216a1b424998b130 (patch) | |
tree | c36a1ebe61ed2542b1a9c593ba31c0e8f15f782a | |
parent | 42c58cd2e8a7f414efebeadc9d182d4aa11d282e (diff) | |
download | nixlib-a7ecdffc281f847e8addabee216a1b424998b130.tar nixlib-a7ecdffc281f847e8addabee216a1b424998b130.tar.gz nixlib-a7ecdffc281f847e8addabee216a1b424998b130.tar.bz2 nixlib-a7ecdffc281f847e8addabee216a1b424998b130.tar.lz nixlib-a7ecdffc281f847e8addabee216a1b424998b130.tar.xz nixlib-a7ecdffc281f847e8addabee216a1b424998b130.tar.zst nixlib-a7ecdffc281f847e8addabee216a1b424998b130.zip |
linux_hardened: move to 4.11
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX & STRICT_MODULE_RWX, which are on by default (non-optional).
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 9 | ||||
-rw-r--r-- | pkgs/top-level/all-packages.nix | 3 |
2 files changed, 5 insertions, 7 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index c54ee0e5aff1..78fb1e368be7 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -2,22 +2,19 @@ # http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings # https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project # -# The base kernel is assumed to be at least 4.9 or whatever the toplevel -# linux_hardened package expression uses. -# # Dangerous features that can be permanently (for the boot session) disabled at # boot via sysctl or kernel cmdline are left enabled here, for improved # flexibility. -{ stdenv }: +{ stdenv, version }: with stdenv.lib; +assert (versionAtLeast version "4.9"); + '' GCC_PLUGINS y # Enable gcc plugin options -DEBUG_KERNEL y -DEBUG_RODATA y # Make kernel text & rodata read-only DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning # Additional validation of commonly targetted structures diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index b2540cbe2060..e9741abcb5fa 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11995,9 +11995,10 @@ with pkgs; linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; })); # Hardened linux - linux_hardened = linux_4_9.override { + linux_hardened = let linux = pkgs.linux_4_11; in linux.override { extraConfig = import ../os-specific/linux/kernel/hardened-config.nix { inherit stdenv; + inherit (linux) version; }; }; |