tjh.dev
1# Based on recommendations from:
2# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
3# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
4#
5# Dangerous features that can be permanently (for the boot session) disabled at
6# boot via sysctl or kernel cmdline are left enabled here, for improved
7# flexibility.
8#
9# See also <nixos/modules/profiles/hardened.nix>
10
11{
12 stdenv,
13 lib,
14 version,
15}:
16
17with lib.kernel;
18with (lib.kernel.whenHelpers version);
19
20assert (lib.versionAtLeast version "4.9");
21
22{
23 # Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
24 # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
25 # implicitly marks LSM hooks read-only after init.
26 #
27 # SELinux can only be disabled at boot via selinux=0
28 #
29 # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
30 # config builder fails to detect that it has indeed been unset.
31 SECURITY_SELINUX_DISABLE = whenOlder "6.4" no; # On 6.4: error: unused option: SECURITY_SELINUX_DISABLE
32 SECURITY_WRITABLE_HOOKS = option no;
33
34 # Perform additional validation of commonly targeted structures.
35 DEBUG_CREDENTIALS = whenOlder "6.6" yes;
36 DEBUG_NOTIFIERS = yes;
37 DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()
38 DEBUG_PLIST = whenAtLeast "5.2" yes;
39 DEBUG_SG = yes;
40 DEBUG_VIRTUAL = yes;
41 SCHED_STACK_END_CHECK = yes;
42
43 REFCOUNT_FULL = whenOlder "5.4.208" yes;
44
45 # tell EFI to wipe memory during reset
46 # https://lwn.net/Articles/730006/
47 RESET_ATTACK_MITIGATION = yes;
48
49 # restricts loading of line disciplines via TIOCSETD ioctl to CAP_SYS_MODULE
50 CONFIG_LDISC_AUTOLOAD = option no;
51
52 # Wipe higher-level memory allocations on free() with page_poison=1
53 PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
54 PAGE_POISONING_ZERO = whenOlder "5.11" yes;
55
56 # Enable init_on_free by default
57 INIT_ON_FREE_DEFAULT_ON = whenAtLeast "5.3" yes;
58
59 # Wipe all caller-used registers on exit from a function
60 ZERO_CALL_USED_REGS = whenAtLeast "5.15" yes;
61
62 # Enable the SafeSetId LSM
63 SECURITY_SAFESETID = whenAtLeast "5.1" yes;
64
65 # Reboot devices immediately if kernel experiences an Oops.
66 PANIC_TIMEOUT = freeform "-1";
67
68 GCC_PLUGINS = yes; # Enable gcc plugin options
69
70 GCC_PLUGIN_STRUCTLEAK = option yes; # A port of the PaX structleak plugin
71 GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = option yes; # Also cover structs passed by address
72 GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
73 GCC_PLUGIN_RANDSTRUCT = whenOlder "5.19" yes; # A port of the PaX randstruct plugin
74 GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenOlder "5.19" yes;
75
76 # Runtime undefined behaviour checks
77 # https://www.kernel.org/doc/html/latest/dev-tools/ubsan.html
78 # https://developers.redhat.com/blog/2014/10/16/gcc-undefined-behavior-sanitizer-ubsan
79 UBSAN = yes;
80 UBSAN_TRAP = whenAtLeast "5.7" yes;
81 UBSAN_BOUNDS = whenAtLeast "5.7" yes;
82 UBSAN_SANITIZE_ALL = whenOlder "6.9" yes;
83 UBSAN_LOCAL_BOUNDS = option yes; # clang only
84 CFI_CLANG = option yes; # clang only Control Flow Integrity since 6.1
85
86 # Disable various dangerous settings
87 ACPI_CUSTOM_METHOD = whenOlder "6.9" no; # Allows writing directly to physical memory
88 PROC_KCORE = no; # Exposes kernel text image layout
89 INET_DIAG = no; # Has been used for heap based attacks in the past
90
91 # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
92 # make them optional
93 INET_DIAG_DESTROY = option no;
94 INET_RAW_DIAG = option no;
95 INET_TCP_DIAG = option no;
96 INET_UDP_DIAG = option no;
97 INET_MPTCP_DIAG = option no;
98
99 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
100 CC_STACKPROTECTOR_REGULAR = lib.mkForce (whenOlder "4.18" no);
101 CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
102
103 # CONFIG_DEVMEM=n causes these to not exist anymore.
104 STRICT_DEVMEM = option no;
105 IO_STRICT_DEVMEM = option no;
106
107 # stricter IOMMU TLB invalidation
108 IOMMU_DEFAULT_DMA_STRICT = option yes;
109 IOMMU_DEFAULT_DMA_LAZY = option no;
110
111 # not needed for less than a decade old glibc versions
112 LEGACY_VSYSCALL_NONE = lib.mkIf stdenv.hostPlatform.isx86 yes;
113}