mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-22 13:08:39 +03:00
linux_hardened: init
The rationale for this is to have a place to enable hardening features that are either too invasive or that may be speculative/yet proven to be worthwhile for general-purpose kernels.
This commit is contained in:
Joachim Fasting
parent
6a5a5728ee
commit
62f2a1c2be
54
pkgs/os-specific/linux/kernel/hardened-config.nix
Normal file
54
pkgs/os-specific/linux/kernel/hardened-config.nix
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
# Based on recommendations from:
|
||||||
|
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
|
||||||
|
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
|
||||||
|
#
|
||||||
|
# The base kernel is assumed to be at least 4.9 or whatever the toplevel
|
||||||
|
# linux_hardened package expression uses.
|
||||||
|
#
|
||||||
|
# Dangerous features that can be permanently (for the boot session) disabled at
|
||||||
|
# boot via sysctl or kernel cmdline are left enabled here, for improved
|
||||||
|
# flexibility.
|
||||||
|
|
||||||
|
{ stdenv }:
|
||||||
|
|
||||||
|
with stdenv.lib;
|
||||||
|
|
||||||
|
''
|
||||||
|
GCC_PLUGINS y # Enable gcc plugin options
|
||||||
|
|
||||||
|
DEBUG_KERNEL y
|
||||||
|
DEBUG_RODATA y # Make kernel text & rodata read-only
|
||||||
|
DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
|
||||||
|
|
||||||
|
# Additional validation of commonly targetted structures
|
||||||
|
DEBUG_CREDENTIALS y
|
||||||
|
DEBUG_NOTIFIERS y
|
||||||
|
DEBUG_LIST y
|
||||||
|
|
||||||
|
HARDENED_USERCOPY y # Bounds check usercopy
|
||||||
|
|
||||||
|
# Wipe on free with page_poison=1
|
||||||
|
PAGE_POISONING y
|
||||||
|
PAGE_POISONING_NO_SANITY y
|
||||||
|
PAGE_POISONING_ZERO y
|
||||||
|
|
||||||
|
# Stricter /dev/mem
|
||||||
|
STRICT_DEVMEM y
|
||||||
|
IO_STRICT_DEVMEM y
|
||||||
|
|
||||||
|
# Disable various dangerous settings
|
||||||
|
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
|
||||||
|
PROC_KCORE n # Exposes kernel text image layout
|
||||||
|
INET_DIAG n # Has been used for heap based attacks in the past
|
||||||
|
|
||||||
|
${optionalString (stdenv.system == "x86_64-linux") ''
|
||||||
|
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
|
||||||
|
|
||||||
|
# Reduce attack surface by disabling various emulations
|
||||||
|
IA32_EMULATION n
|
||||||
|
X86_X32 n
|
||||||
|
|
||||||
|
VMAP_STACK y # Catch kernel stack overflows
|
||||||
|
''}
|
||||||
|
|
||||||
|
''
|
||||||
@ -11905,6 +11905,16 @@ with pkgs;
|
|||||||
# Build a kernel for Xen dom0
|
# Build a kernel for Xen dom0
|
||||||
linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
|
linuxPackages_latest_xen_dom0 = recurseIntoAttrs (linuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; }));
|
||||||
|
|
||||||
|
# Hardened linux
|
||||||
|
linux_hardened = linux_4_9.override {
|
||||||
|
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
||||||
|
inherit stdenv;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
linuxPackages_hardened =
|
||||||
|
recurseIntoAttrs (linuxPackagesFor linux_hardened);
|
||||||
|
|
||||||
# Grsecurity packages
|
# Grsecurity packages
|
||||||
|
|
||||||
linux_grsec_nixos = kernelPatches.grsecurity_testing;
|
linux_grsec_nixos = kernelPatches.grsecurity_testing;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user