diff options
Diffstat (limited to 'pkgs/os-specific/linux/kernel/hardened-config.nix')
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 85 |
1 files changed, 62 insertions, 23 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index ba5e538c493a..7c5593a4df2e 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -13,51 +13,90 @@ with stdenv.lib; assert (versionAtLeast version "4.9"); '' -GCC_PLUGINS y # Enable gcc plugin options +# Report BUG() conditions and kill the offending process. +BUG y + +${optionalString (stdenv.system == "x86_64-linux") '' + DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory + + # Reduce attack surface by disabling various emulations + IA32_EMULATION n + X86_X32 n + MODIFY_LDT_SYSCALL n + + VMAP_STACK y # Catch kernel stack overflows + + # Randomize position of kernel and memory. + RANDOMIZE_BASE y + RANDOMIZE_MEMORY y + + # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. + LEGACY_VSYSCALL_NONE y +''} + +# Make sure kernel page tables have safe permissions. +DEBUG_KERNEL y + +${optionalString (versionOlder version "4.11") '' + DEBUG_RODATA y + DEBUG_SET_MODULE_RONX y +''} ${optionalString (versionAtLeast version "4.11") '' GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin ''} -DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning +# Report any dangerous memory permissions (not available on all archs). +DEBUG_WX y -${optionalString (versionAtLeast version "4.10") '' - BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption -''} +# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) +# DEVMEM is not set +STRICT_DEVMEM y +IO_STRICT_DEVMEM y -# Additional validation of commonly targetted structures +# Perform additional validation of various commonly targeted structures. DEBUG_CREDENTIALS y DEBUG_NOTIFIERS y DEBUG_LIST y DEBUG_SG y +BUG_ON_DATA_CORRUPTION y +SCHED_STACK_END_CHECK y + +# Provide userspace with seccomp BPF API for syscall attack surface reduction. +SECCOMP y +SECCOMP_FILTER y -HARDENED_USERCOPY y # Bounds check usercopy +# Provide userspace with ptrace ancestry protections. +SECURITY y +SECURITY_YAMA y -# Wipe on free with page_poison=1 +# Perform usercopy bounds checking. +HARDENED_USERCOPY y + +# Randomize allocator freelists. +SLAB_FREELIST_RANDOM y + +# Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below). +# (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n) PAGE_POISONING y PAGE_POISONING_NO_SANITY y PAGE_POISONING_ZERO y -CC_STACKPROTECTOR_REGULAR n -CC_STACKPROTECTOR_STRONG y +# Reboot devices immediately if kernel experiences an Oops. +PANIC_ON_OOPS y +PANIC_TIMEOUT -1 -# Stricter /dev/mem -STRICT_DEVMEM y -IO_STRICT_DEVMEM y +# Keep root from altering kernel memory via loadable modules. +# MODULES is not set + +GCC_PLUGINS y # Enable gcc plugin options # Disable various dangerous settings ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory PROC_KCORE n # Exposes kernel text image layout INET_DIAG n # Has been used for heap based attacks in the past -${optionalString (stdenv.system == "x86_64-linux") '' - DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory - - # Reduce attack surface by disabling various emulations - IA32_EMULATION n - X86_X32 n - - VMAP_STACK y # Catch kernel stack overflows -''} - +# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. +CC_STACKPROTECTOR_REGULAR n +CC_STACKPROTECTOR_STRONG y '' |