From 7d5352df311dec624fed63d6988f9ac999547769 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 05:24:02 +0100 Subject: [PATCH] linux_*_hardened: don't set X86_X32 As far as I can tell, this has never defaulted to on upstream, and our common kernel configuration doesn't turn it on, so the attack surface reduction here is somewhat homeopathic. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 3010d87a178a..7e6f514e19f5 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -19,8 +19,6 @@ assert (versionAtLeast version "4.9"); optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory - # Reduce attack surface by disabling X32 - X86_X32 = no; # Note: this config depends on EXPERT y and so will not take effect, hence # it is left "optional" for now. MODIFY_LDT_SYSCALL = option no;