pyrox.dev
lol
1# Based on recommendations from:
2# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
3# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
4#
5# Dangerous features that can be permanently (for the boot session) disabled at
6# boot via sysctl or kernel cmdline are left enabled here, for improved
7# flexibility.
8#
9# See also <nixos/modules/profiles/hardened.nix>
10
11{ stdenv, lib, version }:
12
13with lib;
14with lib.kernel;
15with (lib.kernel.whenHelpers version);
16
17assert (versionAtLeast version "4.9");
18
19{
20 # Report BUG() conditions and kill the offending process.
21 BUG = yes;
22
23 # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
24 # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
25 # implicitly marks LSM hooks read-only after init.
26 #
27 # SELinux can only be disabled at boot via selinux=0
28 #
29 # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
30 # config builder fails to detect that it has indeed been unset.
31 SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
32 SECURITY_WRITABLE_HOOKS = option no;
33
34 STRICT_KERNEL_RWX = yes;
35
36 # Perform additional validation of commonly targeted structures.
37 DEBUG_CREDENTIALS = yes;
38 DEBUG_NOTIFIERS = yes;
39 DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()
40 DEBUG_PLIST = whenAtLeast "5.2" yes;
41 DEBUG_SG = yes;
42 SCHED_STACK_END_CHECK = yes;
43
44 REFCOUNT_FULL = whenOlder "5.4.208" yes;
45
46 # Randomize page allocator when page_alloc.shuffle=1
47 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;
48
49 # Allow enabling slub/slab free poisoning with slub_debug=P
50 SLUB_DEBUG = yes;
51
52 # Wipe higher-level memory allocations on free() with page_poison=1
53 PAGE_POISONING = yes;
54 PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
55 PAGE_POISONING_ZERO = whenOlder "5.11" yes;
56
57 # Enable the SafeSetId LSM
58 SECURITY_SAFESETID = whenAtLeast "5.1" yes;
59
60 # Reboot devices immediately if kernel experiences an Oops.
61 PANIC_TIMEOUT = freeform "-1";
62
63 GCC_PLUGINS = yes; # Enable gcc plugin options
64 # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
65 GCC_PLUGIN_LATENT_ENTROPY = yes;
66
67 GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin
68 GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address
69 GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
70 GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
71 GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
72
73 # Same as GCC_PLUGIN_RANDSTRUCT*, but has been renamed to `RANDSTRUCT*` in 5.19.
74 RANDSTRUCT = whenAtLeast "5.19" yes;
75 RANDSTRUCT_PERFORMANCE = whenAtLeast "5.19" yes;
76
77 # Disable various dangerous settings
78 ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
79 PROC_KCORE = no; # Exposes kernel text image layout
80 INET_DIAG = no; # Has been used for heap based attacks in the past
81
82 # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
83 # make them optional
84 INET_DIAG_DESTROY = option no;
85 INET_RAW_DIAG = option no;
86 INET_TCP_DIAG = option no;
87 INET_UDP_DIAG = option no;
88 INET_MPTCP_DIAG = option no;
89
90 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
91 CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
92 CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
93
94 # Detect out-of-bound reads/writes and use-after-free
95 KFENCE = whenAtLeast "5.12" yes;
96
97 # CONFIG_DEVMEM=n causes these to not exist anymore.
98 STRICT_DEVMEM = option no;
99 IO_STRICT_DEVMEM = option no;
100}