From 1801aad7b889e1acd3b2f41046852ae78f61a32d Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sat, 5 Jan 2019 13:24:54 +0100 Subject: [PATCH] hardened-config: clarify MODIFY_LDT_SYSCALL This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling EXPERT however seems to introduce quite a few changes that would need to be properly vetted. The version guard is unnecessary, however, as this config has been supported since 4.3. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 13db3873e62..6ae0108b3f0 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -28,9 +28,9 @@ ${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' # Reduce attack surface by disabling various emulations IA32_EMULATION n X86_X32 n - ${optionalString (versionOlder version "4.17") '' - MODIFY_LDT_SYSCALL? n - ''} + # Note: this config depends on EXPERT y and so will not take effect, hence + # it is left "optional" for now. + MODIFY_LDT_SYSCALL? n VMAP_STACK y # Catch kernel stack overflows