diff options
author | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2023-06-16 06:56:35 +0000 |
commit | 99fcaeccb89621dd492203ce1f2d551c06f228ed (patch) | |
tree | 41cb730ae07383004789779b0f6e11cb3f4642a3 /nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix | |
parent | 59c5f5ac8682acc13bb22bc29c7cf02f7d75f01f (diff) | |
parent | 75a5ebf473cd60148ba9aec0d219f72e5cf52519 (diff) | |
download | nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.gz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.bz2 nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.lz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.xz nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.tar.zst nixlib-99fcaeccb89621dd492203ce1f2d551c06f228ed.zip |
Merge branch 'nixos-unstable' of https://github.com/NixOS/nixpkgs
Conflicts: nixpkgs/nixos/modules/config/console.nix nixpkgs/nixos/modules/services/mail/mailman.nix nixpkgs/nixos/modules/services/mail/public-inbox.nix nixpkgs/nixos/modules/services/mail/rss2email.nix nixpkgs/nixos/modules/services/networking/ssh/sshd.nix nixpkgs/pkgs/applications/networking/instant-messengers/dino/default.nix nixpkgs/pkgs/applications/networking/irc/weechat/default.nix nixpkgs/pkgs/applications/window-managers/sway/default.nix nixpkgs/pkgs/build-support/go/module.nix nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix nixpkgs/pkgs/development/interpreters/python/default.nix nixpkgs/pkgs/development/node-packages/overrides.nix nixpkgs/pkgs/development/tools/b4/default.nix nixpkgs/pkgs/servers/dict/dictd-db.nix nixpkgs/pkgs/servers/mail/public-inbox/default.nix nixpkgs/pkgs/tools/security/pinentry/default.nix nixpkgs/pkgs/tools/text/unoconv/default.nix nixpkgs/pkgs/top-level/all-packages.nix
Diffstat (limited to 'nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix')
-rw-r--r-- | nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix | 26 |
1 files changed, 13 insertions, 13 deletions
diff --git a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix index 3e3cd149c4d9..5a1a710ba3b7 100644 --- a/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix +++ b/nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix @@ -8,7 +8,7 @@ # # See also <nixos/modules/profiles/hardened.nix> -{ lib, version }: +{ stdenv, lib, version }: with lib; with lib.kernel; @@ -20,10 +20,6 @@ assert (versionAtLeast version "4.9"); # Report BUG() conditions and kill the offending process. BUG = yes; - # Safer page access permissions (wrt. code injection). Default on >=4.11. - DEBUG_RODATA = whenOlder "4.11" yes; - DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; - # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter # implicitly marks LSM hooks read-only after init. @@ -32,10 +28,10 @@ assert (versionAtLeast version "4.9"); # # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the # config builder fails to detect that it has indeed been unset. - SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no; - SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no); + SECURITY_SELINUX_DISABLE = no; + SECURITY_WRITABLE_HOOKS = option no; - STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; + STRICT_KERNEL_RWX = yes; # Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS = yes; @@ -45,7 +41,7 @@ assert (versionAtLeast version "4.9"); DEBUG_SG = yes; SCHED_STACK_END_CHECK = yes; - REFCOUNT_FULL = whenBetween "4.13" "5.5" yes; + REFCOUNT_FULL = whenOlder "5.5" yes; # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; @@ -68,11 +64,15 @@ assert (versionAtLeast version "4.9"); # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. GCC_PLUGIN_LATENT_ENTROPY = yes; - GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address + GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin - GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes; + GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes; + + # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19. + RANDSTRUCT = whenAtLeast "5.19" yes; + RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes; # Disable various dangerous settings ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory |