diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-29 17:27:08 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-29 17:27:11 +0200 |
commit | 63433537ce3f52f9bc460961b2b73e40db027447 (patch) | |
tree | 235ef5605a59218a46ce8dbe2e74aa2435612aa9 /nixos/modules/profiles | |
parent | f1c7d5a6ba8200d1ac463f1f796f6f359f1423c7 (diff) | |
download | nixlib-63433537ce3f52f9bc460961b2b73e40db027447.tar nixlib-63433537ce3f52f9bc460961b2b73e40db027447.tar.gz nixlib-63433537ce3f52f9bc460961b2b73e40db027447.tar.bz2 nixlib-63433537ce3f52f9bc460961b2b73e40db027447.tar.lz nixlib-63433537ce3f52f9bc460961b2b73e40db027447.tar.xz nixlib-63433537ce3f52f9bc460961b2b73e40db027447.tar.zst nixlib-63433537ce3f52f9bc460961b2b73e40db027447.zip |
nixos/hardened profile: disable legacy virtual syscalls
This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289
Diffstat (limited to 'nixos/modules/profiles')
-rw-r--r-- | nixos/modules/profiles/hardened.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 9933f8b25f5e..a01d974446be 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -10,6 +10,11 @@ with lib; security.apparmor.enable = mkDefault true; + boot.kernelParams = [ + # Disable legacy virtual syscalls + "vsyscall=none" + ]; + # Restrict ptrace() usage to processes with a pre-defined relationship # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; |