commit ff10bafd00520510f5c8a9dec4060321477c47d5 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

linux: Expand hardened config

Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Tim Steinbach 8 years ago ff10bafd e66c85d1

+78 -26

5 changed files

expand all

unified split

pkgs

os-specific

linux

kernel

hardened-config.nix

linux-hardened-copperhead.nix

patches.nix

tag-hardened.patch

top-level

all-packages.nix

+62 -23

pkgs/os-specific/linux/kernel/hardened-config.nix

··· 13 13 assert (versionAtLeast version "4.9"); 14 14 15 15 '' 16 - GCC_PLUGINS y # Enable gcc plugin options 16 + # Report BUG() conditions and kill the offending process. 17 + BUG y 18 + 19 + ${optionalString (stdenv.system == "x86_64-linux") '' 20 + DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory 21 + 22 + # Reduce attack surface by disabling various emulations 23 + IA32_EMULATION n 24 + X86_X32 n 25 + MODIFY_LDT_SYSCALL n 26 + 27 + VMAP_STACK y # Catch kernel stack overflows 28 + 29 + # Randomize position of kernel and memory. 30 + RANDOMIZE_BASE y 31 + RANDOMIZE_MEMORY y 32 + 33 + # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. 34 + LEGACY_VSYSCALL_NONE y 35 + ''} 36 + 37 + # Make sure kernel page tables have safe permissions. 38 + DEBUG_KERNEL y 39 + 40 + ${optionalString (versionOlder version "4.11") '' 41 + DEBUG_RODATA y 42 + DEBUG_SET_MODULE_RONX y 43 + ''} 17 44 18 45 ${optionalString (versionAtLeast version "4.11") '' 19 46 GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin 20 47 ''} 21 48 22 - DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning 49 + # Report any dangerous memory permissions (not available on all archs). 50 + DEBUG_WX y 23 51 24 - ${optionalString (versionAtLeast version "4.10") '' 25 - BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption 26 - ''} 52 + # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) 53 + # DEVMEM is not set 54 + STRICT_DEVMEM y 55 + IO_STRICT_DEVMEM y 27 56 28 - # Additional validation of commonly targetted structures 57 + # Perform additional validation of various commonly targeted structures. 29 58 DEBUG_CREDENTIALS y 30 59 DEBUG_NOTIFIERS y 31 60 DEBUG_LIST y 32 61 DEBUG_SG y 62 + BUG_ON_DATA_CORRUPTION y 63 + SCHED_STACK_END_CHECK y 33 64 34 - HARDENED_USERCOPY y # Bounds check usercopy 65 + # Provide userspace with seccomp BPF API for syscall attack surface reduction. 66 + SECCOMP y 67 + SECCOMP_FILTER y 68 + 69 + # Provide userspace with ptrace ancestry protections. 70 + SECURITY y 71 + SECURITY_YAMA y 72 + 73 + # Perform usercopy bounds checking. 74 + HARDENED_USERCOPY y 75 + 76 + # Randomize allocator freelists. 77 + SLAB_FREELIST_RANDOM y 35 78 36 - # Wipe on free with page_poison=1 79 + # Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below). 80 + # (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n) 37 81 PAGE_POISONING y 38 82 PAGE_POISONING_NO_SANITY y 39 83 PAGE_POISONING_ZERO y 40 84 41 - CC_STACKPROTECTOR_REGULAR n 42 - CC_STACKPROTECTOR_STRONG y 85 + # Reboot devices immediately if kernel experiences an Oops. 86 + PANIC_ON_OOPS y 87 + PANIC_TIMEOUT -1 43 88 44 - # Stricter /dev/mem 45 - STRICT_DEVMEM y 46 - IO_STRICT_DEVMEM y 89 + # Keep root from altering kernel memory via loadable modules. 90 + # MODULES is not set 91 + 92 + GCC_PLUGINS y # Enable gcc plugin options 47 93 48 94 # Disable various dangerous settings 49 95 ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory 50 96 PROC_KCORE n # Exposes kernel text image layout 51 97 INET_DIAG n # Has been used for heap based attacks in the past 52 98 53 - ${optionalString (stdenv.system == "x86_64-linux") '' 54 - DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory 55 - 56 - # Reduce attack surface by disabling various emulations 57 - IA32_EMULATION n 58 - X86_X32 n 59 - 60 - VMAP_STACK y # Catch kernel stack overflows 61 - ''} 62 - 99 + # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. 100 + CC_STACKPROTECTOR_REGULAR n 101 + CC_STACKPROTECTOR_STRONG y 63 102 ''

+1 -1

pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix

··· 9 9 import ./generic.nix (args // { 10 10 version = "${version}-${revision}"; 11 11 extraMeta.branch = "4.12"; 12 - modDirVersion = "${version}"; 12 + modDirVersion = "${version}-hardened"; 13 13 14 14 src = fetchFromGitHub { 15 15 inherit sha256;

pkgs/os-specific/linux/kernel/patches.nix

··· 156 156 sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2"; 157 157 }; 158 158 }; 159 + 160 + tag_hardened = rec { 161 + name = "tag-hardened"; 162 + patch = ./tag-hardened.patch; 163 + }; 159 164 }

pkgs/os-specific/linux/kernel/tag-hardened.patch

··· 1 + diff --git a/localversion-hardened b/localversion-hardened 2 + new file mode 100644 3 + index 0000000000..e578045860 4 + --- /dev/null 5 + +++ b/localversion-hardened 6 + @@ -0,0 +1 @@ 7 + +-hardened

+3 -2

pkgs/top-level/all-packages.nix

··· 1338 1338 1339 1339 clementine = callPackage ../applications/audio/clementine { 1340 1340 boost = boost155; 1341 - gst_plugins = 1341 + gst_plugins = 1342 1342 with gst_all_1; [ gst-plugins-base gst-plugins-good gst-plugins-ugly ]; 1343 1343 }; 1344 1344 ··· 12040 12040 kernelPatches.p9_fixes 12041 12041 kernelPatches.modinst_arg_list_too_long 12042 12042 kernelPatches.cpu-cgroup-v2."4.11" 12043 + kernelPatches.tag_hardened 12043 12044 ]; 12044 12045 extraConfig = import ../os-specific/linux/kernel/hardened-config.nix { 12045 12046 inherit stdenv; 12046 - inherit (linux) version; 12047 + inherit (linux_hardened_copperhead) version; 12047 12048 }; 12048 12049 }; 12049 12050