pyrox.dev
linux: Expand hardened config
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
+62
-23
pkgs/os-specific/linux/kernel/hardened-config.nix
+62
-23
pkgs/os-specific/linux/kernel/hardened-config.nix
···
13
assert (versionAtLeast version "4.9");
14
15
''
16
-
GCC_PLUGINS y # Enable gcc plugin options
17
18
${optionalString (versionAtLeast version "4.11") ''
19
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
20
''}
21
22
-
DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
23
24
-
${optionalString (versionAtLeast version "4.10") ''
25
-
BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption
26
-
''}
27
28
-
# Additional validation of commonly targetted structures
29
DEBUG_CREDENTIALS y
30
DEBUG_NOTIFIERS y
31
DEBUG_LIST y
32
DEBUG_SG y
33
34
-
HARDENED_USERCOPY y # Bounds check usercopy
35
36
-
# Wipe on free with page_poison=1
37
PAGE_POISONING y
38
PAGE_POISONING_NO_SANITY y
39
PAGE_POISONING_ZERO y
40
41
-
CC_STACKPROTECTOR_REGULAR n
42
-
CC_STACKPROTECTOR_STRONG y
43
44
-
# Stricter /dev/mem
45
-
STRICT_DEVMEM y
46
-
IO_STRICT_DEVMEM y
47
48
# Disable various dangerous settings
49
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
50
PROC_KCORE n # Exposes kernel text image layout
51
INET_DIAG n # Has been used for heap based attacks in the past
52
53
-
${optionalString (stdenv.system == "x86_64-linux") ''
54
-
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
55
-
56
-
# Reduce attack surface by disabling various emulations
57
-
IA32_EMULATION n
58
-
X86_X32 n
59
-
60
-
VMAP_STACK y # Catch kernel stack overflows
61
-
''}
62
-
63
''
···
13
assert (versionAtLeast version "4.9");
14
15
''
16
+
# Report BUG() conditions and kill the offending process.
17
+
BUG y
18
+
19
+
${optionalString (stdenv.system == "x86_64-linux") ''
20
+
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
21
+
22
+
# Reduce attack surface by disabling various emulations
23
+
IA32_EMULATION n
24
+
X86_X32 n
25
+
MODIFY_LDT_SYSCALL n
26
+
27
+
VMAP_STACK y # Catch kernel stack overflows
28
+
29
+
# Randomize position of kernel and memory.
30
+
RANDOMIZE_BASE y
31
+
RANDOMIZE_MEMORY y
32
+
33
+
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
34
+
LEGACY_VSYSCALL_NONE y
35
+
''}
36
+
37
+
# Make sure kernel page tables have safe permissions.
38
+
DEBUG_KERNEL y
39
+
40
+
${optionalString (versionOlder version "4.11") ''
41
+
DEBUG_RODATA y
42
+
DEBUG_SET_MODULE_RONX y
43
+
''}
44
45
${optionalString (versionAtLeast version "4.11") ''
46
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
47
''}
48
49
+
# Report any dangerous memory permissions (not available on all archs).
50
+
DEBUG_WX y
51
52
+
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
53
+
# DEVMEM is not set
54
+
STRICT_DEVMEM y
55
+
IO_STRICT_DEVMEM y
56
57
+
# Perform additional validation of various commonly targeted structures.
58
DEBUG_CREDENTIALS y
59
DEBUG_NOTIFIERS y
60
DEBUG_LIST y
61
DEBUG_SG y
62
+
BUG_ON_DATA_CORRUPTION y
63
+
SCHED_STACK_END_CHECK y
64
65
+
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
66
+
SECCOMP y
67
+
SECCOMP_FILTER y
68
+
69
+
# Provide userspace with ptrace ancestry protections.
70
+
SECURITY y
71
+
SECURITY_YAMA y
72
+
73
+
# Perform usercopy bounds checking.
74
+
HARDENED_USERCOPY y
75
+
76
+
# Randomize allocator freelists.
77
+
SLAB_FREELIST_RANDOM y
78
79
+
# Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below).
80
+
# (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n)
81
PAGE_POISONING y
82
PAGE_POISONING_NO_SANITY y
83
PAGE_POISONING_ZERO y
84
85
+
# Reboot devices immediately if kernel experiences an Oops.
86
+
PANIC_ON_OOPS y
87
+
PANIC_TIMEOUT -1
88
89
+
# Keep root from altering kernel memory via loadable modules.
90
+
# MODULES is not set
91
+
92
+
GCC_PLUGINS y # Enable gcc plugin options
93
94
# Disable various dangerous settings
95
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
96
PROC_KCORE n # Exposes kernel text image layout
97
INET_DIAG n # Has been used for heap based attacks in the past
98
99
+
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
100
+
CC_STACKPROTECTOR_REGULAR n
101
+
CC_STACKPROTECTOR_STRONG y
102
''
+1
-1
pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
+1
-1
pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
+5
pkgs/os-specific/linux/kernel/patches.nix
+5
pkgs/os-specific/linux/kernel/patches.nix
+7
pkgs/os-specific/linux/kernel/tag-hardened.patch
+7
pkgs/os-specific/linux/kernel/tag-hardened.patch
+3
-2
pkgs/top-level/all-packages.nix
+3
-2
pkgs/top-level/all-packages.nix
···
1338
1339
clementine = callPackage ../applications/audio/clementine {
1340
boost = boost155;
1341
-
gst_plugins =
1342
with gst_all_1; [ gst-plugins-base gst-plugins-good gst-plugins-ugly ];
1343
};
1344
···
12040
kernelPatches.p9_fixes
12041
kernelPatches.modinst_arg_list_too_long
12042
kernelPatches.cpu-cgroup-v2."4.11"
12043
];
12044
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
12045
inherit stdenv;
12046
-
inherit (linux) version;
12047
};
12048
};
12049
···
1338
1339
clementine = callPackage ../applications/audio/clementine {
1340
boost = boost155;
1341
+
gst_plugins =
1342
with gst_all_1; [ gst-plugins-base gst-plugins-good gst-plugins-ugly ];
1343
};
1344
···
12040
kernelPatches.p9_fixes
12041
kernelPatches.modinst_arg_list_too_long
12042
kernelPatches.cpu-cgroup-v2."4.11"
12043
+
kernelPatches.tag_hardened
12044
];
12045
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
12046
inherit stdenv;
12047
+
inherit (linux_hardened_copperhead) version;
12048
};
12049
};
12050