diff options
author | Matthieu Coudron <mattator@gmail.com> | 2018-10-03 18:53:23 +0900 |
---|---|---|
committer | Matthieu Coudron <mattator@gmail.com> | 2019-01-28 09:07:24 +0900 |
commit | 7aacbdb8986f0d75c3770e70a39147c272e1eac8 (patch) | |
tree | 4c4e5722f3d16aa0b11644f9da480b0dfccd48e0 /pkgs/os-specific | |
parent | 3bb7b3f02e884db944a8a20b4f19227482479b94 (diff) | |
download | nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.tar nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.tar.gz nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.tar.bz2 nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.tar.lz nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.tar.xz nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.tar.zst nixlib-7aacbdb8986f0d75c3770e70a39147c272e1eac8.zip |
linux: convert hardened-config to a structured one
Diffstat (limited to 'pkgs/os-specific')
-rw-r--r-- | pkgs/os-specific/linux/kernel/common-config.nix | 9 | ||||
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 212 |
2 files changed, 94 insertions, 127 deletions
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index bdcad8c2383c..1a56e68fa4bf 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -17,14 +17,9 @@ with stdenv.lib; - with import ../../../../lib/kernel.nix { inherit (stdenv) lib; }; + with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; let - # Common patterns/legacy - when = cond: opt: if cond then opt else null; - whenAtLeast = ver: mkIf (versionAtLeast version ver); - whenOlder = ver: mkIf (versionOlder version ver); - whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh); # configuration items have to be part of a subattrs flattenKConf = nested: mapAttrs (_: head) (zipAttrs (attrValues nested)); @@ -420,7 +415,7 @@ let KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; }; KVM_DEVICE_ASSIGNMENT = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; }; KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0" yes; - KVM_GUEST = when (!features.grsecurity) yes; + KVM_GUEST = mkIf (!features.grsecurity) yes; KVM_MMIO = yes; KVM_VFIO = yes; KSM = yes; diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index ed540a9e7518..f1f18c64130c 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -11,138 +11,110 @@ { stdenv, version }: with stdenv.lib; +with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; assert (versionAtLeast version "4.9"); -'' -# Report BUG() conditions and kill the offending process. -BUG y - -${optionalString (versionAtLeast version "4.10") '' - BUG_ON_DATA_CORRUPTION y -''} - -${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' - DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory +optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { + DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory # Reduce attack surface by disabling various emulations - IA32_EMULATION n - X86_X32 n + IA32_EMULATION = no; + X86_X32 = no; # Note: this config depends on EXPERT y and so will not take effect, hence # it is left "optional" for now. - MODIFY_LDT_SYSCALL? n - - VMAP_STACK y # Catch kernel stack overflows + MODIFY_LDT_SYSCALL = option no; + VMAP_STACK = yes; # Catch kernel stack overflows # Randomize position of kernel and memory. - RANDOMIZE_BASE y - RANDOMIZE_MEMORY y + RANDOMIZE_BASE = yes; + RANDOMIZE_MEMORY = yes; # Disable legacy virtual syscalls by default (modern glibc use vDSO instead). # # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism, # which is supposed to be safer than the native variant (wrt. ret2libc), so # disabling it mainly helps reduce surface. - LEGACY_VSYSCALL_NONE y -''} - -# Safer page access permissions (wrt. code injection). Default on >=4.11. -${optionalString (versionOlder version "4.11") '' - DEBUG_RODATA y - DEBUG_SET_MODULE_RONX y -''} - -# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n -# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter -# implicitly marks LSM hooks read-only after init. -# -# SELinux can only be disabled at boot via selinux=0 -# -# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the -# config builder fails to detect that it has indeed been unset. -${optionalString (versionAtLeast version "4.12") '' - SECURITY_SELINUX_DISABLE n - SECURITY_WRITABLE_HOOKS? n -''} - -DEBUG_WX y # boot-time warning on RWX mappings -${optionalString (versionAtLeast version "4.11") '' - STRICT_KERNEL_RWX y -''} - -# Stricter /dev/mem -STRICT_DEVMEM? y -IO_STRICT_DEVMEM? y - -# Perform additional validation of commonly targeted structures. -DEBUG_CREDENTIALS y -DEBUG_NOTIFIERS y -DEBUG_LIST y -DEBUG_PI_LIST y # doesn't BUG() -DEBUG_SG y -SCHED_STACK_END_CHECK y - -${optionalString (versionAtLeast version "4.13") '' - REFCOUNT_FULL y -''} - -# Perform usercopy bounds checking. -HARDENED_USERCOPY y -${optionalString (versionAtLeast version "4.16") '' - HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement -''} - -# Randomize allocator freelists. -SLAB_FREELIST_RANDOM y - -${optionalString (versionAtLeast version "4.14") '' - SLAB_FREELIST_HARDENED y -''} - -# Allow enabling slub/slab free poisoning with slub_debug=P -SLUB_DEBUG y - -# Wipe higher-level memory allocations on free() with page_poison=1 -PAGE_POISONING y -PAGE_POISONING_NO_SANITY y -PAGE_POISONING_ZERO y - -# Reboot devices immediately if kernel experiences an Oops. -PANIC_ON_OOPS y -PANIC_TIMEOUT -1 - -GCC_PLUGINS y # Enable gcc plugin options -# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. -GCC_PLUGIN_LATENT_ENTROPY y - -${optionalString (versionAtLeast version "4.11") '' - GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin -''} -${optionalString (versionAtLeast version "4.14") '' - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address -''} -${optionalString (versionAtLeast version "4.20") '' - GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin -''} - -${optionalString (versionAtLeast version "4.13") '' - GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y -''} - -# Disable various dangerous settings -ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory -PROC_KCORE n # Exposes kernel text image layout -INET_DIAG n # Has been used for heap based attacks in the past - -# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. -${optionalString (versionOlder version "4.18") '' - CC_STACKPROTECTOR_REGULAR n - CC_STACKPROTECTOR_STRONG y -''} - -# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE -${optionalString (versionAtLeast version "4.13") '' - FORTIFY_SOURCE y -''} -'' + LEGACY_VSYSCALL_NONE = yes; +} // { + # Report BUG() conditions and kill the offending process. + BUG = yes; + + BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes; + + # Safer page access permissions (wrt. code injection). Default on >=4.11. + DEBUG_RODATA = whenOlder "4.11" yes; + DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; + + # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n + # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter + # implicitly marks LSM hooks read-only after init. + # + # SELinux can only be disabled at boot via selinux=0 + # + # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the + # config builder fails to detect that it has indeed been unset. + SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no; + SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no); + + DEBUG_WX = yes; # boot-time warning on RWX mappings + STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; + + # Stricter /dev/mem + STRICT_DEVMEM = option yes; + IO_STRICT_DEVMEM = option yes; + + # Perform additional validation of commonly targeted structures. + DEBUG_CREDENTIALS = yes; + DEBUG_NOTIFIERS = yes; + DEBUG_LIST = yes; + DEBUG_PI_LIST = yes; # doesn't BUG() + DEBUG_SG = yes; + SCHED_STACK_END_CHECK = yes; + + REFCOUNT_FULL = whenAtLeast "4.13" yes; + + # Perform usercopy bounds checking. + HARDENED_USERCOPY = yes; + HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement + + # Randomize allocator freelists. + SLAB_FREELIST_RANDOM = yes; + + SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes; + + # Allow enabling slub/slab free poisoning with slub_debug=P + SLUB_DEBUG = yes; + + # Wipe higher-level memory allocations on free() with page_poison=1 + PAGE_POISONING = yes; + PAGE_POISONING_NO_SANITY = yes; + PAGE_POISONING_ZERO = yes; + + # Reboot devices immediately if kernel experiences an Oops. + PANIC_ON_OOPS = yes; + PANIC_TIMEOUT = freeform "-1"; + + GCC_PLUGINS = yes; # Enable gcc plugin options + # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources. + GCC_PLUGIN_LATENT_ENTROPY = yes; + + GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address + GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin + GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes; + + # Disable various dangerous settings + ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory + PROC_KCORE = no; # Exposes kernel text image layout + INET_DIAG = no; # Has been used for heap based attacks in the past + + # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. + CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no; + CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; + + # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE + FORTIFY_SOURCE = whenAtLeast "4.13" yes; + +} |