From 10dd3f3de0b3868853e7077ff5ef6c13efc0fcc1 Mon Sep 17 00:00:00 2001 From: Emily Date: Wed, 8 Apr 2020 21:02:25 +0100 Subject: [PATCH 01/30] graphene-hardened-malloc: enable on aarch64-linux --- pkgs/development/libraries/graphene-hardened-malloc/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/development/libraries/graphene-hardened-malloc/default.nix b/pkgs/development/libraries/graphene-hardened-malloc/default.nix index 0d2b02489ef..c60b0914492 100644 --- a/pkgs/development/libraries/graphene-hardened-malloc/default.nix +++ b/pkgs/development/libraries/graphene-hardened-malloc/default.nix @@ -52,6 +52,6 @@ stdenv.mkDerivation rec { ''; license = licenses.mit; maintainers = with maintainers; [ ris ]; - platforms = [ "x86_64-linux" ]; + platforms = [ "x86_64-linux" "aarch64-linux" ]; }; } From 3d01e802bd56c78965b784a3fbb4db0d424e2c64 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 04:18:36 +0100 Subject: [PATCH 02/30] linux: explicitly enable SYSVIPC The linux-hardened patch set removes this default, probably because of its original focus on Android kernel hardening. --- pkgs/os-specific/linux/kernel/common-config.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix index 2c8b8de65b3..1ed48baa924 100644 --- a/pkgs/os-specific/linux/kernel/common-config.nix +++ b/pkgs/os-specific/linux/kernel/common-config.nix @@ -607,6 +607,8 @@ let MODULE_COMPRESS_XZ = yes; KERNEL_XZ = yes; + SYSVIPC = yes; # System-V IPC + UNIX = yes; # Unix domain sockets. MD = yes; # Device mapper (RAID, LVM, etc.) From 0d4f35efd4f905b322cd232e9740ce18f04270a0 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 22:47:13 +0100 Subject: [PATCH 03/30] linux_*_hardened: use linux-hardened patch set This is an updated version of the former upstream, https://github.com/AndroidHardeningArchive/linux-hardened, and provides a minimal set of additional hardening patches on top of upstream. The patch already incorporates many of our hardened profile defaults, and releases are timely (Linux 5.5.15 and 5.6.2 were released on 2020-04-02; linux-hardened patches for them came out on 2020-04-03 and 2020-04-04 respectively). --- pkgs/os-specific/linux/kernel/anthraxx.asc | 325 ++++++++++++++++++ .../linux/kernel/hardened-patches.json | 27 ++ pkgs/os-specific/linux/kernel/patches.nix | 17 +- .../linux/kernel/update-hardened.py | 200 +++++++++++ pkgs/os-specific/linux/kernel/update.sh | 3 + pkgs/top-level/aliases.nix | 5 + pkgs/top-level/all-packages.nix | 8 +- 7 files changed, 580 insertions(+), 5 deletions(-) create mode 100644 pkgs/os-specific/linux/kernel/anthraxx.asc create mode 100644 pkgs/os-specific/linux/kernel/hardened-patches.json create mode 100755 pkgs/os-specific/linux/kernel/update-hardened.py diff --git a/pkgs/os-specific/linux/kernel/anthraxx.asc b/pkgs/os-specific/linux/kernel/anthraxx.asc new file mode 100644 index 00000000000..101ccfbf0f2 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/anthraxx.asc @@ -0,0 +1,325 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQINBE64OEUBEADPS1v+zoCdKA6zyfUtVIaBoIwMhCibqurXi30tVoC9LgM6W1ve +HwPFukWq7DAS0mZUPE3mSV63JFLaTy0bY/6GO1D4wLdWZx4ppH7XKNCvKCbsi70k +UozFykNVf+83WEskuF1oYzXlF3aB5suz2IWJl7ey1EXgIpehwQaTJUA5JIWYFp9A +566LRNJefYMzUR33xc4dRKj6Etg0xdLVq7/vZoo8HpLCBGNWiP0AKqFWEwTg0xQL +7nsJA5tfJJdwAJvrzjpFsvb63PKG6waAtdHhON4q7E2Udak9fz2tRjxA5l9l2zXk +aqsysUzkxPhNjwMENoQ04KZg4aT+ZhhBzTowSWLp3KV2uaZ66kdPUO3s+/1bPp5/ +N/IlykaUwyL773iYOZ5dOY/9hIuX/zssihcrGEMW6yIyZR5uKhzYdaM9ExTXP637 +UccgNS9/pskPGPx/xK23NDCfeHzL9YHS5KokA2wb/b9hqpwvLaeblbMl2pt79F1R +ac+rZlrRyX3NvlTQP4hqM9Ei2YBAU7QFDJEjH8pVIceL7grxi1Ju1iD5QiSK+je5 +Jj5EAikfwSeAttSzsqNvaXJHfABrv5mkkVt1z3icP3HIHTYnG+uj+t8kvW+o9/1i +pD6e6LUh4w5v1aY9kaK/M3+eBH59yNYI99crPUKUBVfW4gv4DBUJAQTWRQARAQAB +tDVMZXZlbnRlIFBvbHlhayAoYW50aHJheHgpIDxsZXZlbnRlQGxldmVudGVwb2x5 +YWsubmV0PokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4ACGQEF +AlSXU9QFCQfATw8ACgkQ/BtUfI2BcsjPbxAAs+UR/bJz/HeYTpPy+HnKwDJgI9GP +AZlNvp+QSIhOTtKCYkQ/Iu+5scY5J0Qyv0pcJW5Rxjx+l7KGovw84jzVznnYsJoy +UQ5H3Ev9T2xW1nrZT3abJ7j6ZIck+Q+WFHu5Plsq6doSXOXmJNoehvT3BVolvc6w +S1+CAoyA5Wm1yfocZgVOvWPWQaa1T4XA7OwxFWrvNWEZwAzTSjkGHkwmji+DxdBd +RPam9+qm/rcN1IJTu6xJPr38a9LydWonsUpTR2Qn7Bo4EJp8yHJLaiLEMV/Nmgrr +1orBYw/OzDzhbdMl+2zzwEBLUMPABdgnPM6ZCZ5PWyWnCU4jsBGyVd0IC5xEu3Eg +a0EtIdvx2lXiLfh2dulpMn52uJY5iNwaTleO+z9CENQVhh5R4FuN9H0BLiyAxf1+ +MkD3jLT+DGl02hQghtxz18iTkRk7KOw/NFn4z0is+TRl4/ocNt1LiWQXt8dr7qdx +zvUpDnxCSYZkeutzopo1TA4lKpnsS2mHabx6CbrUmF+wOIr8gHUfpBFeEQ8BHebU +5X0JrFF5mjeNl4uK9l9lD9ng74rsSpKPr15DU41jIuQDHJYd6H3TXQ4K1z7Ciivy +r4vgsruAFX/GduKseOx1obWW3GfIQzLAIuVdjldgREl61GWoLiGFqlcveiAIkN5p +Bxc20hSrHgZP9ZyIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GTK7AKC8Sd1ndNvc +1ispBaECbHT/JPfGrQCgvkfGBsFn/KBrgC5hTm0mSxdy942JAkEEEwECACsCGwMF +CQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJOuD2qAhkBAAoJEPwbVHyN +gXLIXL4QAJtbs62EpOIFld0N+tTEFn1qQPPaExAXmH/RF5Epf+0rSS6B0OXEZBXz +cWtMPbHxoLjN1iY8o0QC1ex7/KDfYq8Ho18M9P+Lf6XfW0sJ9d021U5MJWGPs4zA +lNFXJqeMgfJZAno2N6dO/azcYHq1wmSgUbTb9Oyi1PHfn3g0UAW59dfkB8d2jEvY +Yed1X0mBPPXcbgnYNZ514JQtm9wuDdVWrh/Si9EhKg6+MPcbv18G4lpPGR+yNq9y +3Jze4vmmWen0ceDJEp06IAeTfJzzD80Oui2WXtLfaQxgf9uuZtGjrMX5l+mq7rBS +VH/dsHP1VYI0efKIs7qbmiLcMRVWYIGix9I1C3UYr3ImYiCGlBG/uQ929xbjWAHa +hy4W6rzruUWjyi/Kz7QRnyBgtHfhDO7hYziTr5hoGhd4VeUpcbxL+MegXFZsWJlE +kz8TOOsZ/4XxXHVoalg8fYOcA7j/aoszsPMQUOL/5jsVRhyP3evtVxb3m1EwvYDK +Lii4IkVxGztlBOIgeT4kwXgoJEASSZHgcd6tDv9q7o33n2I1DGL8X3axcHES2/C7 +cP+li3KL3Hc9vjgaJ9HfcQLuMcHqfoHn+YzVfbG5XeFcxhgQpwpYsZv3MTbXAQwI +fRHXRuIfOiFwqUXahi5N1WSIXNBGSyI7pu9ht5I7gIIOINE+VS7FiQJBBBMBAgAr +AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUNol8QUJA/yTqwAKCRD8 +G1R8jYFyyIqUD/9yWw7WBQiWyIMpVuX9c2Ov1fAkDya43fDm0gqIgNsdaxCt5ATh +XaXZ/p2jglWwon5jDLDNsVR0/Q/t8ugdcP3bcwRtW2YYQ2F1PaNjfr5WsuPEadyc +J62DIobY4IzqBpDuqGLYdbzZeKr49VwbRRvIJpphrk3+CekFvdIs1ofEpA2Kn2oA +DXfYuaWoVBF7fTwAZmc3hYPOI1jK7nrFZbCnAT4WZPzZ4IY9lsaNTF/4mQ8vV1xF +De6HjfslHURlZWsWtQIKhIPBKoZC1nP5VRK3IHYgKw8toq780kalLH8ofv9BkSrs +t98JOoJX4etdmE8Ta/+Wg5C9EzR+909tQfdWdkaRbhvbtl/x7X76HU4ItefLR5pW +d0OSo488QZMQjCUWlzgPMsmnYMQm6ckNOp0B/RtMfbJV7t5H+JE3PLfFG55jcz3w +uNGhfZyl/ZhV9fvGLU/sPyhIW7ewuIwd+7i12fH9r4NAGB/mkSKK+tHGcTZvXxux +5QMKE+a9u6NMJRrbsIiTFwhrCLMgzLYL0mtX8FZXNFFZzGFYkiXymBR0ze4LKzRo +dMFpyP/w/IIjYBhVpgboT2EMMIgJHSsMJDCdDjI+9cAykVF6ccSiUQ11devHL6Pv +WwlT2Ub4TP4yCScHDPyfWq+tfdQlWFVRZMRJ7kmq0VagqomdRHgLPyPgDYkCHAQQ +AQIABgUCUtgrXgAKCRBH1QFsQv98LACcEACFq3Oz8nHAa6KsyspIWo0+HjzCtTv0 +G6TB+svf3fl24C93IfFhpSyxNf8XVa9h9kCU5ZImYN+LaoUGiz3lcYxjdOeFYDc4 +GU5TFrJwY9eOYYCsr+z+NLn7wlLZEO772lGUDPJMWxSGqR9yOGhQCTIADLLcp6mt +07zdejESYxMT6IjYR+rX6miWG5Hr9/lBdh/X4XhGpHEY64IL8vVB3C+FQfG3hiMB +bHbvJ4/S/cjfNM1T9oKiA0H6jklRHIdstj+2eeWA7lS+GE3Mpkra+8KmkEjV4O03 +izcRpMm1yTGoTjp9UddTNYErb/sha5YigYAqK8bj3gh6tTFNJHbN4RWgtPDyc5Va +1u+sH2ob6JS5tez8/Z6pMarGpTQujIGAlntP4igi0Q4hxyLof6Vtc6XF80uSwTvN +RRmQrcq+kLPwX0NbyZCBCI+kjBPu2b932JDTfVBKwJCLF3e1zvQqN0C7EZnIzveX +r7VtJ4WHIfSyi/HQP7xm5L0uQj+KRr+/LMaxkCDgrlqoWTgAoxCAPYH1XCvBoJRc +DHjNikyEAS8WUGl9ZHQyAoFngi/jqH6WoDAmfBUKRoBMR2hXLOKUBmObw0DHgauM +kk4kD6CW4UEy0SM/i9JD7sk9KiKoHMip1jguKRJkHJ1WSkNl7nZpeo+KG0WbGHXN +b7hnrQsNyqJkUokCQQQTAQIAKwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AC +GQEFAlLV0QIFCQXdHmsACgkQ/BtUfI2Bcsj8DA//b8wZrFY/Fj/iR5ZaO0AjmMV1 +hM7lAFWLfDiLyYofuiGLUg9rqFWj+Ks2kedVN7+22Bjgi5fvpXv3Uy4trZKKw8Xs +FJ/s8HQ6jzIv6pFdIYPLFQBqS2tEgfsanPZWIqJI9fbhOrRGN7WV5tXiksCaRO+u +rLjIhAYmsDb//BD2xqsY54ouRdrz5nRG3qG2odq2Lw8XquW6srouGaSm+BI3sow6 +l2eAW8UjbxwICQg2ZPZYCBc9ArbgLS1ha+yPhp65nGpVbqDA8rUKC11op1ArAbY3 +Yt6xzLg+RCuCHBa1gNPpDoYV9V8Zve03mEIcsK10X0RhJQ+z4INvrjtelPRCOLpN +179JmsyxwOzwAPg773SK1Z31jSirsiEke/q8j13PGNDBCb4ZKpm/KOht+4d0jJLK +GLqD85cv3/uAeSh2zWkoKcVW6uVZpiz3KA3i4YMWnteOlrlZH28nIrDXevPzkOxo +pZlhuLboCD6g6yuZI4Wm9fEiga8xmRDw4RrOIuDXWjNW6IVaeFGvnYaNf0wnmBD+ +FE1SMWwcmqgB1yIylmKqH0lYce8SVAMLkkOlaijhWrfCO5iS7zjWaVz98HCqFfwR +gHuJTxOwwlf9Qb6cyC3bGsfILBUuE0L5vUAZUAc61H+6Sv88CDDUO1EOKaqAAYhR +plvoyYZ3xiSMgzYKGZ+0OkxldmVudGUgUG9seWFrIChKYWJiZXIvWE1QUCBvbmx5 +KSA8YW50aHJheHhAamFiYmVyLmNjYy5kZT6JAj4EEwECACgCGwMGCwkIBwMCBhUI +AgkKCwQWAgMBAh4BAheABQJUl1PaBQkHwE8PAAoJEPwbVHyNgXLIQokQAKxJB9/F +TfBae6eqcT+izxGSnsvbc2bcrtsmKkhu9HwpsJ4IDutphXFB0wFalI40BL0o1k54 +Wlfv5GHbq7Ju3kW2dmTMP0WpfFytV7rr2yqSmik+skJw27BDk74rP0v4TNOHaTrP +nokfTnlaKuv1bqlwbIwV7rJ5jbAtw5hueeN4jghGU8SGlCOEZ/xGxYYsvtyPhZhn +kmsAzcPr/BpW4NkSb2SnRIO8KzcPnzxz7JDdeIusq/YW7P5OlhDx4ejdh0Wg6ISl +zxB5VoqFqNuKTBQNz4HHpqDVQqEDE4JngMerDr+4qAiDYI4w6kN3Ce2LqciRyMVh +YYnTqyyjXYY3C1WwXIa1tZb2Cw2DorshNFdACr7wKQMOoJtAFpdd3d/DRKQWCc3x +jkBERqZ+55unTY0/0uyNPoK0noAcGydiU8WGh6wyi+Do+Zxq4QJEcqL/FHrhlaiw +LTmgDS+XDl7zRtQia7ykpi/xqe74ujOHcJO8tpY0ZCdR2A13xiOi+11wndbOkBFv +dQ0vgih9ROzwe3hBbBQQOdF4hkA9vEd2Ks4gF8IR+5ixWAIyZAVbnDiLelWgQgnE +aeEwTtfcXRNAxuj+MgMPQhXQ2/cK0dPD4z51DchVRIf9G3hAuBT/CEhTqNkkm5F0 +og7azwd75+vh5RxwVld3ES6CMXKaiV4csQkdiEYEEBECAAYFAk64PygACgkQvnQP +QT8iuxlligCeNgfNE4w1AQuOC4ef3HNNY0GXgVMAnjmtCVIUJv/w6PDimvf20rgF +GVHxiQI+BBMBAgAoBQJOuD0KAhsDBQkCHIcABgsJCAcDAgYVCAIJCgsEFgIDAQIe +AQIXgAAKCRD8G1R8jYFyyPv3D/wJ+sYXqSxoo8OriGMUzG5LXs2Hf1YULdlysGa8 +mxWTwCIEMSSx8AoOKf/FyXglDVl9msfOgv6jRiN+UyNCQEv+6a5ZCL7BlAVU0Q4W +w2/UUlOUlLMC1QAodGcC3kiPSy41jnDVswKYRrICuiW1Pqgad3h7u7caqvqG1D/A +YOR2Q8JjY15j6Qf62Xx+YANx2tPWKeDyPUAN/x1W6RrEDbN5F+1qOpPFuTnpPmqH +q4zxm4Dz4szypmAKsN+5/q8T6DJtSnP7COtsY467oX2XtNTTuCIsU79lBVo/yan9 +ofB6hu12KyXwJIl1OK34g9VEP5suU3hcEw7uVAvxyMYJQlxORUCG0DAFc/oPm3d0 +ypRdbxXJMjoS3pmCf7kwnEA9PIAjZDYuVHGZkAdmYYInTIH6ipjkVxDHEF1en0h2 +zHJEZC7NIYgPyzHXmH7Xy3VZVhhKKKM12VDOuIOOecQPuFIw3hG7dymjn5e9dMzv ++DMkbEZzoFahLYkbVGG1FGzhE6Uvb/IG0UJCC4nDz0pzZpV++QHvgEvbY/HLbHJ4 +o3CT5aVE0YIhTP+zqXNFMOao8yZy+AzdMzdX+Y3ADZfY0oiZ+JH1Zo++rdrgXUhg +Y98QgMwVwESbwaBKjsC0JnlmWyNivhIOS6NRyqR75E7j7JSvgJdxhvpQXXkQ/BzL +FM1Ej4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlDaJfoF +CQP8k6sACgkQ/BtUfI2BcsiEahAArZfD1yJK385eqgCZ5LryVLRXrocuF1zlHl/6 +ugRy2TEe43ex4eTOY+mv4ZJVSxbDzUqMbBv0m3IETbM0CSESjGD+i5I7K3IToZO9 +ZgIXDbpoy9x2KWjU+R5oaxCTmZ9jk1p+f4zHxc8lJdgOXPwcIIT5Euwk4LAFN+wn +CUHkO/D0xzP2ivTrM+VHNWqSUcNInAGRx+R0NvdSryIAsdA/5E3ql786WQhPy6L6 +1d7cmxaLsfAKIOf8ydNyoiqmJkT62omLLnqyERfLZRa9RKt5EgnxX6kR2BA+h/Gn +KVV18bCIJjF3Gjnh3qjJehKRaw9nmzrB9KtGQAHdIp8ivNvjMitc1ijRIECfidWd +lGxgmuI/gX58eaV3scjbs5YUFmGhcZIgjCxWWxFSwmzJTUVT5XqBpXFQB4dokj9m +NNMpM3YH8T9QaaS/m9j7cmCJ4gxp7i1bJsqsVG5BjRLiZv701eVKVmU6vqhubR0R +eSZghqho9e44ZMbn4rJ5kTQhGc7ZGNsIyChMSaYVreB8IBLDC7rg8dB/umg1OYOp +8EqRLJyXdtpa4DN3X0e4WcWb0Toj4QuyCh/es1CtBldhdqHr0aLZYCX4i/KuGTXI +kA8LTOJmZsE+K+/NCux1VHK9DADKcNjhSV0QTf+8ntGlNW6i2Mlt34thZK5eeB6W +Bbo1zl6JAhwEEAECAAYFAlLYK14ACgkQR9UBbEL/fCyyQBAA0931q8dBD/6COmat +8S+JSgcuIpylukFxU2vySBWSGRHFmFzwbokUE4bbNyutwNO2cNBa9zcxRPrkIg+7 +d65QjdZNDV2zWTjv5GwzEMjWxhP7VpTwTouYgx9j2d2KpFo2jfhTtZ7OU7DDF9YT +FsaRiZHHZT+W/JHuB9Lxc55HkSagu00yTaZURc0olBui5c/hqBte1b3OWTjCmysG +mwDL2FwdmFi9mbEm77sdD8PSVfkZaBv5rIaet+Xe/JMZoz0WUkZRCFXMr6B7aOdS +WeB7kUsPh2J5dhf4x4YaxKLOHod9JQF/DGJsdexKqMTqM/xOMSQ1FTUMCQ5SBWJc +3PywqMB/0eqlteHydlk7bb9HLCT3M6vVxTkpj834wGRsoVXPqWKzAHPpO2kjxXtc +4DBh7T88YGE2k5rxdJHb3MjWVJQzHGhrO5Ji8CQaHjUJ4BTyim++RDisDi4C/QJ4 +qPOrafw/+KyJoWyfmAUpxplPvY/LKJlvKaKxmpwlildYjH7HjoYvCjagbSCUOnzo +uM//YIJ8/o8QdxEDdYiTd7cwskYWphrAlV8+vCl/Y0lepRf+hsUS+uZi/NX4qYMx +CTsewnnqJQduuehQl9/RnoBX9T04kS64cWNaPZ4dxZUYJm3us5QFcQJMysZ4tT1Y +A0oEUX1KUTDzTQXT/kFi8MtmXauJAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW +AgMBAh4BAheABQJS1dELBQkF3R5rAAoJEPwbVHyNgXLIV98P/jcu/DiP/muH2Qsy +FtjscyLu1NzBbSFB9q1jMVfx3VbaIT22Ly6BIQNHF7L2fpjf36EWpdJzpfR+Glp5 +1+KqZgIMAW5CGguSy8v7iHs6Rh5hzChiF48wCqxUmMdQ0ITTrnAXIYq6H6s8ytKF +Y31znXmne1XYBg8e4yb3pcBhkzIPeVU7rMz9PjPB0+Q2jWCpqPA4eUSV8rL2TxFR +KbEt8XlkZ6yuCLnkN84aLZFxfZA1tIGifi0PpeaO2z/IwOmftbQRiljMdnsPye49 +j4wlJS7yRIpnH3nH9Zku/MrDV/M0z7BVwKfF2F95/2QX4Tdyd/UESTdLqGtXpX4c +axahZKrOhNr+k60qSBxoBqKauZkSbZunRnbYmVa3nA2kQuIPF9/QmoZgDUfdkKZJ +u1RjwcRUGKd1XV19QjUvBMD3oHA4G6Jbi5vWKQZ40KVcL78YIL7C8dUOiPIasA45 +olaGpCSsGsfrMp5ngegxM+uh9Tc2kTFC9bTqp17VYI96cAqGrEBUQrmLmZLk0HUm +a6MNZO/+vKN4UTlgjpjxZon+/yK8bsmT/VNie5hzqZim6tfztl3rpJ9jPUeLgr5x +oGePYV02inapzNHdWFHk0L9zR/3KKfJ3IRJwUXp00Eya28hEepIvdxgLYcN1UqVn +VuFuMY8zYSl/VXtPxySCLENJHxvdtClMZXZlbnRlIFBvbHlhayA8bGV2ZW50ZUBs +ZXZlbnRlcG9seWFrLmRlPokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC +HgECF4AFAlSXU9oFCQfATw8ACgkQ/BtUfI2BcsiPxw//X2xUctIrd1O7UOk7LHBX +/xI7xXoWQcA7l/1XMuZhM8yC8yIoAgvFrWBP1a29I0P3/yigkQXs+eTDTdvb0QP2 +q72q7Azt852v5u8+dHzoOXDpbo+4lfX+0OBDWimwJuChD8LQH7b7jO0oqWIV0AzM +vegFJVp3cDbyqw08lBz3xZ79A9JtBeewf6PLpXKjEVS8bEAZjZKjsjAY+5ShtJAf +PsD8r353dmkaHgC5Aji74ijZeY3PUCvGVVCGeN9isLnRpTEn7qUvN2DfHJU4w6aw +sXu7m7zidISo6dQLUzo54dHKWPGFy6INNkzXPOgrlbYnjt7v0Ou21/R6HrhdmsSw +lt7GALJcgAUxrcT/ljB3SZhSB0BdH0DXPcUziEdfhgMhhrXYpMjwH2XFBD1MLusW +GaVDbpPrSoEnmPVePcDUonDHePcuLjfOl13mOER1Kf6WFapOCa+4HCLakfKcPnGY +eyfD7Dbz3/046MmfQ8/Iyf8ipFXN6tI2WkRKj8uq9IFYrX3yoCBxZJN837DM3Grq +h48/T3pYU1f9LiekxbsgXmcHoGNdXX5+EsuO+QILZPttlG5QLuqFdJHei77uvW+B +4u8mgzi1Zhh0hRLm4K6UaJ/fBJ87BZSHShPKI9PI073U1O/CcYXnb8cdPLu3UgSQ +FM/bxT70TSYKI01Dt4KXRfWIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GT9FAJ47 +X5+0dQaOFkfy3WnMgX3AmIXJYQCfR4XL47rZ9a66jWaD0IbcXMK4oE2JAj4EEwEC +ACgFAk64PJ4CGwMFCQIchwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwb +VHyNgXLI2U8QAJGKPv1gWLn7P1KeHVsKkfRf+zgdsoY4mF3bUjX/03z1h1OKp+S7 +gZD/ZI80ckw/ElgFt9sr8J+pOgHk+aGHW+V0cZNgDHXCINb17s+Ra7SA/SWeJOrr +d4IpvTnjGc88C/j+bzRFagfnGXU601PeJdXIe6H75xVGIb0DgQBfPB9m+7p3sq/R +6UigzLwwhIQRW/l77hq79v5Rm77e0GTfcYHSuKu2Itim8p5OYCNchr4ZpBzrv5cF +/nH+HyD0AnM1q4a3mT9y4abNgtxJMGJBoIUEDT5vaTRpPowVHIGg9QroHkrYkMWA +ffIBzoq38WLnPjvjNtTncyP7sjbP8KS7NfjxZ6RAcNO6m6BTDYG/lM9jwCcOma90 +RZDVYD8hy+z1hXWFfB7zB+5TYuuKV5SXZpS9/JUR1BuI44WkY0hLHUa7inpqLlqc +b9O7KYikgyaeUKAN5LkF8A7rMVzuhrSItNzJVOs7WLnNAe9+Frzqx/jZ9aU04avS +r5OlWLdL7k9JNDnsLFqNtG/XQ7Hc8CPl0HvY3YXYGD3xwW6Ua6+ykxZGmQGPB68W +6a7G5EX+MEWKZgMQYsl1HgU49/sOD6QnCG3m2IB7bRAf5Kd527BnSgAaYHjVug8G ++X9opDwUW1b73Ut5tWfZJqQ4XBjl0Hc7Zi7OtlqdBeKGu/65QU+N9x33iQI+BBMB +AgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8 +G1R8jYFyyPv+D/9lA9yMXPBROLaCRab8Ca2QJBEtpT6lGVlkQ5Am2C8xdoLGiuJF +E7Cn/lS1j4RSVDK6DELeaBMXaY2g1eun8g2ERJIUGC98zrPjZXs/ZtCZtX8vYr1X +Bf9U8Ty6N3rKgt1XHc1oMgzkKLUc72RC+P/fkDsiAg62nVcmOFFykyTXnpM/5Ux/ +9kaahjf4LwGeRqkDIoLrXdZ7FHPjei8VlKSiHTkl4F+UCzEySxiInV+BWAhL5Lvb +zHxHaNDCquOb2zbgafVKON3oa8nCZoUw3iwpjrEy/JT+1BG6vxyT/LX7wPG3SKEw +8QTl8YBF8wvHS0JHW4KTc4grCMNWDwfkrlXnp6ZzTpy4JXZfYs/ltR4FH3atDG2C +xRCSAWXkGyTPMZkougdDbJ3jjViYcWO6B//LE1qDjeC05O9G3MXVxu16M5U8nVA2 +B3bo5cVv7+ECBTKaAvG3ZV6eOaeJ63gHRY8qI7y5OgzuNfxUXMTIAjHfO2mvSy5M +qFgDI10F8rYevGOKxvPVE1F8aiD1uRAOMCcLTy3oUKHIdaskSytL1D/bT9WqWzii +OXhLhSjMzkdPSUWVABeC6KM+Jcll0A0sHTkKWS3mavx3dUacB+O4efuTKNhSvo7n +XhUvSOOikRityipE5Ma5WlXBiu54DdIMGFzANHFdb5GmC7da9F1aALkshokCHAQQ +AQIABgUCUtgrXgAKCRBH1QFsQv98LMmaD/9W2qJyFlZAsjOWgNQPwUU4vV9/Ursj +kt4RI/oS0Gzovw2bmL0a+Q/dp6wM4PBMuYQXCepF8V+o4uKzL2OjVZDVtU/KqGCY +rEigiAhG0gHxgF1ukc9JQzhShFeq7/wkY+FQ4MOhuhuUsSMlvFzAd1hY+xlvckol +DEeS54loDspUh4EwxsWlopaA1rs5dzVXrYcinz9iDzLj6ujb6uJzCQVogk9w3dv8 +smKn81TVhtR4RFecqL9mURZcGnj7NV3n2Lrl2Pe0u/DiTtpavCkzVx7v9qiB/2Di +dqWR7OtYcywUr6lZeZsNabNwntPxSP7V6EcNXF3Qpi2IkAcwdJKb+aIG1v7/Wx77 +GhpBhbtdgKEebttzO4EVVeE8a2kmgqc8VXeAeqI89egU53dUdAinejFVDyemxHnJ +L4L6uVnSxbk/vRzu+fr6EaPyBsqORGXj2OuwxlWcnWs/N9XzNaiq6funedUSYtbP +trdpt7ogvzrQew7wetcwfxSB3IWcVwA9QvGDIBHTWPrb87jKV153w9I+cSfz9jg8 +qTIOw4qad7VOC4L1oaoRsLq6VFgnoW5DLsuhaVd6fgdY/byL6H5q2FPYJ+F8ovhR +2yPlQm8UYIFwmnwzpnuGBaPtU0bP7C+SNMK+G/9+b5q4psh1MnK8sg1RfSr1w7sw +b+Tur045QrUDu4kCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AF +AlLV0QsFCQXdHmsACgkQ/BtUfI2BcsitRA/7BbFuuAXPJMA4XtPhlYbfhNkYQ7+v +vx9HIZ1SgJfhpYwt/vbNTVclO79XD65v5JSWx+0gVJfHNolP5umB0++giIw9NCIx +uVa5eh3kS5NFfJ0YHrYgpFDdZPHRA9wI+oZgJBC/Cm40kafgTUoPFqXb0Sdlcz3R +hciLZBgYXV/uYubczfmAaJpmrVI1UuUWYrdPnmUkgitp9e6IePYiKVDeIGhBW8Bc +7Nbs2hc9yH1zwv3Affs8m+4tQQiwQHsB29WEZcmBuFllTbA5g5bvTvhfCRmYVgWC +Ti4SW+uA0B05a/aVP8fDXk82qCQ4cRB1BOwVNn+1/Aqcw+Zh8KKzH8gpPcsKGGP6 +uNg9uinuxYDneEY8cG7FSpm3XsXu4q4N6j5R63U6hz39pY/5Ib8mzYMEoLEZOLPu +CkVH9OOQc8zuiRL/wGc0pbMiGPEp13rAI0WbIFahrWS60bwtM1YEM5Ep8vD3TLl1 +pTWlF/zWpM/uJ6n/4nDXGQsGzKQn5D5Nsu7+55C0du0d1VRvYd8oG3AaNqhtM46V +C4eOqxH8XZtkJ3WMxhsHnV9acuDTpn5E5JKL7vEq0btN2UQ69lpKv7PmV/TgOJhf +KKvHZ0dh6KYY7iKW7NUCouLGibBoxDa+K4reh0i0M5UcsNiPkCqDIHUAIxW6FrvQ +xBr7NgCls+B9Kwu0JExldmVudGUgUG9seWFrIDxaM3IwLjB4MDBAZ21haWwuY29t +PokCPgQTAQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlSXU9oFCQfA +Tw8ACgkQ/BtUfI2Bcsg4cw/5Af5/cxr5s8qiPvcGDglJyzFj8VBk0d7hpgdxcOi3 +VCOJY4YRoliu8WKThwxt7sD03fSZurFDDx+X27y3zPtgH/qBohmcr51jbSNom4mH +Gf8gpViFqbQlFh7tYz4kSQExgmpFx/FIaxmwFoEqiVrp6VpM2DZ6kg//4M+Ka2Mt +nuzV3C631A0eoMCJhPWPTgkGGknURvzhw6m2aGFWC/HE1yzf7Ej7fQeaqIxIG4Wy +Fk3lMV9rxMxGuUZTqIhvcU85JSriHowfX1VsAI2LXJYQ9c0jI737FcLwHv8VCa5s +NKDkLkb5S83/4Ep8e9M+a7u4WvkAqzmPfSna7bLxdsTS5gKGqEtMvMP2YGWWQxSR +GRSttiMmIC8Cnd45S8cASA2mR/ebNcrYOpa48cjYpBKDG2BIYU7oSLNulsM1qbxL +WJ0QM/g7iKHcrXhyIBaI22GS9hvmYcS960cox9oPCvNZcOKA6FBklnUg/ReJ3JTj +6D6v9SUxOOfXPQIon8EzB7BNKGedHxCFgniZnl10k+pP34YGyphMZTYGdhtAm6zq +T7PlraHQaFgQ3ba78lJcn3cWVZYpbCNJiH+Nna/Akm3/qQKTst3eW1lqopffCs1m +F6G6wjiHCw2bio5uX1c/gDr4Peh0E28heAqKopjultPXPZbSZL4D3fJIGP2j6e1B +wvmIRgQQEQIABgUCTrg/KAAKCRC+dA9BPyK7GcYrAKCgKW+qFwbMNeh4ikFg9fJx +4/lH9wCdGevT7dwBzPe6L+aWZxipEXYmjx6JAj4EEwECACgFAk64PN0CGwMFCQIc +hwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEPwbVHyNgXLIThYP/AnoLpQl +whEEKaIhOSOKXegfdUHK6cL4cHRACzRIbBk/S4G2Vg/bnUW8tvWZDQLZ3CGL8Z0F +tNQ6GusUxt7mcYdSj7xynbi7bZiurgYp7B7hh1hVG3pAXEwlDnJgfoc0YZHrHZwt +HnNVYOfGEQF4zyplmUUxDyp/ZMYcXMr3PVJkYBJhYKCHOkMUtzzNjSSginaqZY1p +fgbP+Gou/9qgotkYiH84oUG9yTSKLIO5x0WzQYuoPNJyOdSHaLPfEqCC435vCYT5 +YLZB1YI5xzQiGsAL//cUCe267oiFmO9Ioky/azeX1Ouy2DH8uEDQPQFTJYXt3CbL +i10HkoBWdmncPC6+b0IJjDUo8Iv4yk0xFt2/DGkGK3h6jJxJ9pzx5KBT46iLfU50 +iTWMTguXn9ud/UJV0MpKgKjvO9hB4fae60n2UootknzEw6Y5W55PfGkT14WcrGGo +WHLSbpR6+gA9apU1cdoOC8nXlf3Eb2No6LP3X7RJXqiRsdP0s6QXkZGfR/qyNXI9 +S5j6wIyqNFU0cX21UgI9oJSKEKIKEFacgyD9za0gswEI+DZr8/p3cJE89ZX8ySgO +FG148wgaakTNGyGwR6aogGZ8IAHc83bnwGCgTeK6ZPSKNLSE/sImcTOrxIN1/x39 +r8o0TxuZjqFH+zKWfpdHX+sJLyi8Gs29CsUhiQI+BBMBAgAoAhsDBgsJCAcDAgYV +CAIJCgsEFgIDAQIeAQIXgAUCUNol+gUJA/yTqwAKCRD8G1R8jYFyyLl/EACG6QRV +kKVBoI2Ycr4UISk2+gCD2r4xSK/QLEhDFcZRgMctvPVnhod3uJOsMGJCk3aPGu91 +Jtwuj0CkeURa/cVzOjC+f7baveTuWQaAqW+r70m6F4gYHU0aDD/uQ75rTCcrsmt2 +pnZCyA9jLJxQGG11AvbOcV+7K7BuIvXs4iAactZ0hRvDVuGXuup2LnUbxyBU2oj7 +OWCXKTpZcJ0KGTWapMf8ClYYsEgS0wvMWotJzAov7ijkoP2DyEQVOPTnGWcfjsTk +QgbyqiFeBl+3IT4+xSzkPsd75dCYhsHBvCoT8cfUH4wvDXzU2CwpC1CDfHit6Hw5 +UigvZ8HXyn00Bm0UjLHGW+haS3kyOoz+z09gVFYd33cpjSnFr5is8ZMBPW31PE15 +q9/l6G/o6OGJCtOax3Yi6ttqn+KbDXIooZoRPZlayOSghyjoD40+ErevmqZPfJ3E +o1kHz62B1YpoXmhUm2Ihf2SbjWJRaW9Hp2nd81kAAXjr+8k4yvOuHxwYPFnpBjfV +cfYNQ3Zf5xF4nfszFuZMc5JYrIR3EYVgEk+n8VpulAqd0rXUEODwGy7rPjdxLY7w +DhUEZMQN3xweIb4vjPDBb0Ax3ACyfWKIdT0kC3rGOy9xyCzxWO2CjHMjrbxy4jL7 +B0WIQ5fpRcV2+wozs2WYgJKVKJgJZGYsW8dDLYkCHAQQAQIABgUCUtgrXgAKCRBH +1QFsQv98LIX0EADVefJUEMGKiTFLwUmWNF2X4oCzEZEMsQ6NliiQFvtNkKrT+OzZ +zggxfINUr0XEKgjjoGZ03Hmm7xAFc1Y51QZEr25H18PuSixz2YSHPqYwwVgLUh0v +u2AqaP0mQckssK+ZAQVvoZ7ZOI22ZXIZ6CPEPY6aJawHov8Strlm8oTbFgLfZ5Wo +3NCxMkkq3NFNHuwesccelNPefgnFZWhwr1mkUeX+rCAbQF/QHYEAi7KjfKyY+XKs +ccjYS+RWxpte21ejngp7pRYli3M8cZoaWKCzLTrD8gKztlo3op9Zc2+hjOY9gZtG +CaXkN8lchJ1yMyWju61ZO++AJq6S2OdBVxgsj9xPm+x91RbZRHQmUuq8mefUzaEm +NHE29udVFfuV//Fpabi04IrOuabkrSvP27eX9FT1y25tKFHuJdL5fDUFGnNnTvcR +X51lJmvnuIKJQ+Lthup7npS0L06+dPIDoqyxF8hmdu3RtwEsvkboPaxx5XTB5d8y +3wzBFWd4ePwBIumrY1YHSzdJCvyyLRXZbSOsHXgZfhfQ1LVgxxebP7E+stWqGLLC +Fry0WGG8f/UUgVr1QpluT6NjioUnuI/ZmKR/aKewqVYWAnr54fF+np4VdxPfYwci +lpbXpkamORZqPfq/nyoWgnp+y4AptDdDkSWnFxfcJ1wnFFcrHVUSFQ1wBYkCPgQT +AQIAKAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AFAlLV0QsFCQXdHmsACgkQ +/BtUfI2BcsjV6w/9Fe1+3Mc6wG3R9VbxiYo13/JV4t+tA9/tcJ1R/Y96eAqVajoK +c2ZQ7FrimmlzvLIvxpH4Z76h3NmPWfOQ6qEumZQ5BM3QwBfQQ3Tmj10gfiL5vOZJ +6dUaJjwXgjz0Qyk1G3gw7K1xmtnXgBPyGT9T9q3OAhHHdV2b6xS9dWoNKhUV8GUn +HfIKwq+87aZqexjFE7ubZdOAe+5nrqnlMEfJKgDjXbazES9IYvPQiSjwR3xaIPOa +ma5WfQV0SHg3Vkhtv2PjuoYWNfNy17N7u+dfg7nAtKLIQCPht45uKk66BYWYBoDI +VQfg6zcFLpdNcFzzwmgrYRZvEvBf5aSG3KFD7UReT0695/lHheRxEAA3thsx8gaM +CCavtVxbVUluEfYZ7TgXLMuIO9OBKhi7MwB3iL5qacrNShMB+1J5FxieJBmWXdla ++kCdCdS+9kIZH+mnQ8daGEJ5R9mNcVwcWasI0o9NObqIZwhKw4obrC5Q7m2NfXL6 +FUScfA7yn7+/icdQB9fH2ZXGJVuNm1b8OBN6Nbz0QauaCystWzKXKwpVb/5M623v +Vw75RfnqCFiAf4tX58nL/QalJc4C0E+TvQ2pXC47VQvHmiAB31vKvU0nbo+lzi64 +hAPWJnhr2pmTvglquTFzLwEsWfO4zDtUwFo8KM1XFsonaoX5UzGTXPmIN5+0J0xl +dmVudGUgUG9seWFrIDxhbnRocmF4eEBhcmNobGludXgub3JnPokCPwQTAQIAKQIb +AwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheABQJUl1PbBQkHwE8PAAoJEPwbVHyN +gXLIdGAP/0ch1NeFyXWszqA5ow+itBn6iyUaplXB5I56Q77cTIFB6LqJ5+2kdUuO +UqPvOilGS3dxbyDsSdWDLs+bHRFG4uqZyGUDhmu2mvS+uDqPFwcKJUNDlgdccxph +sA5HJFGg1ca0TWWg8vjwANdU4sL9Ujbaw93v0Mx/1+aSIxyEJBNxc6DJWEfCjpSy +R9JB8WTHgvxEAImVNsT1OGNTvd2DN+17WBhxBktLHDocIGJ/fttzFgKkv6NTPwt+ +y4QyP3UgeYRZR21B6MVckk2/UuCuCY7gAGruTFVoINa/Wqn2YPPZhJYrTX7ysDaV +QLObxlepeo0UWC7wFEiuqu5OM75MWLUX8j/1OAIE6my85vrlcWSf0Z3jOAgPTjJw +VT5h7T/7NPP2azoIlOE2bh5UcKXFkT0xDYPcMr2hV2Ih+jU+Ygiyg/1yIIxearmm +PFjfIHMLepa+7RPtTlHwu4fpNPXzL13W6PXSoCTTi/suGlYmSyLtOwxq15GGT3vg +1Xh8wfkuWwbWJnBKXtt8HkteQRgDngDnRSJwsO2nnQ7+sr+F8J3rQDdlVdVcolic +ekup8ZgSjJYinfcpF+H+qy2kK2jOYyyHI/+zHQtwy1R7MbLwPJe7WNWrBmEvmazB +2//Iu5EVIfFX3flPjeRQbKX4B/SuXF48uo0/8WfdgaMW8glRWJnbiQI/BBMBAgAp +BQJUSwOnAhsDBQkF3R5rBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ/BtU +fI2Bcsj5ihAAg0d0A8OUsNWG7TiPQTuC/D4e/5JTkJARmQ5xO6gMPxTpjSZCyWEl +7gQOg/liU8nz5HZGaJgg4HuBwTs6euqdnVi6zhW1c1wye2thGTQ7DeSPJnhju3Qe +mPS1jEdC34lXCo6eGjdKnGb7TV7hkptHKHh7XCU9n6qcXQ2cNQQbdqSCRsfVm1XD ++p+mM/FGOz8uFOrhERAUl99WkVZ4NKTdws8U6FXulbdWrWwI4eRggIdwI/Tl7zuy +ja7KxBCCeJ/gFY6g+iOYmIo6//bJITgmAG60hFHJ9JigcN6xglYFI28TCdNqM0+C +hgbZUner0vLmaxRNoXqV9Xw8ihNMQa7fUFYkX8VrXOdLdVvee7OaeLuWWE8x6usQ +NzgLDQQx9fmxtrQY+dC6Y25IPMm094z0nrbM1wtfG2+8Vw4mQ2U099fT5t3Yl7fE +PlanhgQxRZE78PxezyYxms4HV+wqvrhlBzFnWAd6H27uDPfUfO9cLgbmFTUlwFhg +gsDeIFRFx8+h4/0xAIPqUODmTiN0mj5sLRW7zvqZW6zhsGIMdPd+IkhHiGjeJqme +Ai0iOjpV3tRteoW51/+/ajPmyUBbvOxiFJNADHH2NvqoBMU1pkTvpc7Wy+2J9VcF +4TFdWBbwjU8BoC3ZgixTrT0zCSwabnKriglOhA5Ik/n5HsR7S76V13y0KExldmVu +dGUgUG9seWFrIDxhbnRocmF4eEBoYW1idXJnLmNjYy5kZT6JAj0EEwEIACcFAlSX +VHICGwMFCQfATw8FCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQ/BtUfI2Bcsia +Wg//SKLFNUTEBQG11cV/AljxmI2s8y+cPKs3VqlwEjiuRMu4DRkFVaZNEuPq0b8q +8pwcHIJ5/nZvOticm9M/g7TrTp3pOxmSYf7WG31vVrprig22dz8WxQAy76srNn1z +stg0TFO7nKNVjZOFz5D0RpWazwnXyDed3l2/7RZ1CMv7ue/rZez8FnDHN7Di3daX +AJ5XkvDAsD6AITYQd+4XEbh2rt9p8G6qUUjwzoVU/aGVgo1CGZydYMJQVccNL7kv +fumnwkAED8u9j0ZI+xfaD3c1rP98bnqk9u8rJPCAeIkA4ppisDb7noz0NaO7dDyM +ywBK4OR478fw5h7GfiIwZdVAHkCoEHNvF1ON8JnYgyplLvZvxZ0dtYGDYDiFdORN +gVgGMU12kemPws4hEx3WMgUu/BBkF58XyQyqcwt7q+WGI2lQ88UzZ/FAsu8i8r/J +jkV8FsiCJ2rSHEMddmOHoaTM+6oB2i9kZo7KmToSZu7DxuemlHpuOO3kG/iRga2y +NeancRJwbxgZhNGBbhrA/7k5UOcXkmfW74oBkbCci0ncVhHu12dsJXhk+eprkOXv +nD1vEIeuzL4V/SMDar3SxFlfLFwQk4cn9+pdeP3LxwHKBn74pABsbEBhEY4IjUEL +YOTEVoP6s+Ou1NcLxFl3elmniwL2+GV5rDM8pctkKNemtZa5Ag0ETrg4RQEQALfu +qEihKS+DTVlWUujzSq5zK/5oQ1ZL8AiTUTZuVtrRWCq0HE8tWaVxEP3Vt9FCo7yF +afXigokChzHOgzczg80tctrlv+vbFyaZnjGQH20Nlz8EnZP102zudx/RdFXG/up8 +PX50Eck2lH+IvvosMLdvrZTkFJ4SgqMGSoAgMhJHZdZB5N0y8yPPAjcEnSXp8L2A +mo9e0egCrEuqBrCZld00nIoipyDlYNZkLjPf0JRgFPO/AWWgBZLvLlteLu0emq8N +96bT3QTdXpRVPM0qeX94+2gIj+0V1uQ9+k5Xkslbbii9TnOzMnLRO6dBAONVTTb3 +ajzdXK71iv2a8Y9lKShxhYWP9JNOFlXkAp+ZoD7EZex4dgu6giV3PrTDJLyWSu41 +WfqOz6cJGpJSTacrenC542ynAaSVKXH+1plqB9kq/M7HtE/P4GveQXIVT9Sho394 +4hwkuETo20KwCgFPMmiNaBysnOykIcDsDutBOyygdovzdGEyHVsM8/kz007QFgJf +hKy91H6O/Cg7VH+yaUKllRZ+kFsoSy8/E0IqLzqBHG3sUGM6lJ0Q9fgSnpzIZsdE +jRhczNCvlovGLa/kBHcEUWQ2zrjnfjsLkxvamKJ8N6LLIXIDRv5dE2smpdi3oiVg +XdOKshyXB+obhRFlWtirK4udX5yYzUpcB0zBoo1hABEBAAGJAiUEGAECAA8CGwwF +AlSXVAEFCQfATzwACgkQ/BtUfI2Bcsj0Tw//dyDYwcnh0BIb+nDCXFC91KiPUILa +f+wI5w6c9YYEo6TR89q6Wsq8EDiqcqSJcztuNvw3MZGHWA25nNB/0046CGM/tUBd +Jyudd3TxQBi6XMMSTbG1EMtSN1UMV4guuUfYcAGW38oZ+YJACCBFFz/Kt0aa/hhi +/hBNyvI73vZfQ/fsScFDewkxikUEspRsLVmX6gaEmumOxOhJP3HBoxeBCM4Z3IXo +dON2SiiMxt9BPIPJOyKNkFQGQ3dqJIag3GnsZ1s0CEoi8iqF7uS4RjC7uOJtvn74 +CODxg1Ibl1IweyAuBEA80wUh9DGLAdRJpxWy1B2fDhIROvpcg0R5p6j9UX0b0esc +jKLQEiE1wRswjXhWpZhe7Pjl38KhwqMyaeR3OnDtP7JXazIG6HiBIp4cx4k5A2TT +X+LhvG3NHCeuxIyjLTRTWgv241kf7uAu+qgjHDSKXQqpjvo+cUYQgSxQZZXnmlz0 +sz/tEeiWl+i8kW/RNKQvNNR8ghWDW3YRak/zS+WFNoLZchecIzMj+je1vSg411o4 +Xd3LHDur6boCetaq7ZkqoS+NcX9n8MnKhHKYJblvXyc1h67s90+wSwhlumA8WqlM +yqn99m13aF8GuGZbw5B2/x/Cd7WW5wZV6ioola/yqDXB1XtDFBy2Hxr/VMRlE3Cu +kekzzVjVTZxOgZE= +=yRuG +-----END PGP PUBLIC KEY BLOCK----- diff --git a/pkgs/os-specific/linux/kernel/hardened-patches.json b/pkgs/os-specific/linux/kernel/hardened-patches.json new file mode 100644 index 00000000000..24c44dd1ed1 --- /dev/null +++ b/pkgs/os-specific/linux/kernel/hardened-patches.json @@ -0,0 +1,27 @@ +{ + "4.14.176": { + "sha256": "0pr3m2j63mc746fcbzg1hlwv85im9f87qkl6r4033gwnpa9brcgk", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.14.176.a/linux-hardened-4.14.176.a.patch", + "version_suffix": "a" + }, + "4.19.116": { + "sha256": "1f54g0xw708kxha07nsb979h5vwxjrkbwa5h04zny2kq702x1h13", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/4.19.115.a/linux-hardened-4.19.115.a.patch", + "version_suffix": "NixOS-a" + }, + "5.4.33": { + "sha256": "154iz7i9l0hihjrmfk6rjh7hhqwyhsdjr2c74m3dhadrlm5hwy89", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.4.32.a/linux-hardened-5.4.32.a.patch", + "version_suffix": "NixOS-a" + }, + "5.5.17": { + "sha256": "1lms090kkk4vlvfssqsm7r3j88hlf8smrnpcgq24v9rq9pbr0fyw", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.5.17.a/linux-hardened-5.5.17.a.patch", + "version_suffix": "a" + }, + "5.6.4": { + "sha256": "05wkzh7927n71x4cl69mclc44grqpnx6i65hli470q1rg1qrk26n", + "url": "https://github.com/anthraxx/linux-hardened/releases/download/5.6.4.a/linux-hardened-5.6.4.a.patch", + "version_suffix": "a" + } +} diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix index 2b718551cc7..69b0197d4e6 100644 --- a/pkgs/os-specific/linux/kernel/patches.nix +++ b/pkgs/os-specific/linux/kernel/patches.nix @@ -1,4 +1,4 @@ -{ fetchpatch }: +{ lib, fetchpatch, fetchurl }: { bridge_stp_helper = @@ -38,6 +38,21 @@ patch = ./tag-hardened.patch; }; + hardened = let + mkPatch = kernelVersion: patch: let + fullVersion = "${kernelVersion}.${patch.version_suffix}"; + name = "linux-hardened-${fullVersion}"; + in { + inherit name; + patch = fetchurl { + name = "${name}.patch"; + inherit (patch) url sha256; + meta.maintainers = with lib.maintainers; [ emily ]; + }; + }; + patches = builtins.fromJSON (builtins.readFile ./hardened-patches.json); + in lib.mapAttrs mkPatch patches; + # https://bugzilla.kernel.org/show_bug.cgi?id=197591#c6 iwlwifi_mvm_support_version_7_scan_req_umac_fw_command = rec { name = "iwlwifi_mvm_support_version_7_scan_req_umac_fw_command"; diff --git a/pkgs/os-specific/linux/kernel/update-hardened.py b/pkgs/os-specific/linux/kernel/update-hardened.py new file mode 100755 index 00000000000..089e991d06b --- /dev/null +++ b/pkgs/os-specific/linux/kernel/update-hardened.py @@ -0,0 +1,200 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i python -p "python3.withPackages (ps: [ps.PyGithub])" git gnupg + +# This is automatically called by ./update.sh. + +import re +import json +import sys +import os.path +from glob import glob +import subprocess +from tempfile import TemporaryDirectory + +from github import Github + +HERE = os.path.dirname(os.path.realpath(__file__)) +HARDENED_GITHUB_REPO = 'anthraxx/linux-hardened' +HARDENED_TRUSTED_KEY = os.path.join(HERE, 'anthraxx.asc') +HARDENED_PATCHES_PATH = os.path.join(HERE, 'hardened-patches.json') +MIN_KERNEL = (4, 14) + +HARDENED_VERSION_RE = re.compile(r''' + (?P [\d.]+) \. + (?P [a-z]+) +''', re.VERBOSE) + +def parse_version(version): + match = HARDENED_VERSION_RE.fullmatch(version) + if match: + return match.groups() + +def run(*args, **kwargs): + try: + return subprocess.run( + args, **kwargs, + check=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, + ) + except subprocess.CalledProcessError as err: + print( + f'error: `{err.cmd}` failed unexpectedly\n' + f'status code: {err.returncode}\n' + f'stdout:\n{err.stdout.decode("utf-8").strip()}\n' + f'stderr:\n{err.stderr.decode("utf-8").strip()}', + file=sys.stderr, + ) + sys.exit(1) + +def nix_prefetch_url(url): + output = run('nix-prefetch-url', '--print-path', url).stdout + return output.decode('utf-8').strip().split('\n') + +def verify_openpgp_signature(*, name, trusted_key, sig_path, data_path): + with TemporaryDirectory(suffix='.nixpkgs-gnupg-home') as gnupg_home: + run('gpg', '--homedir', gnupg_home, '--import', trusted_key) + keyring = os.path.join(gnupg_home, 'pubring.kbx') + try: + subprocess.run( + ('gpgv', '--keyring', keyring, sig_path, data_path), + check=True, stderr=subprocess.PIPE, + ) + return True + except subprocess.CalledProcessError as err: + print( + f'error: signature for {name} failed to verify!', + file=sys.stderr, + ) + print(err.stderr.decode('utf-8'), file=sys.stderr, end='') + return False + +def fetch_patch(*, name, release): + def find_asset(filename): + try: + return next( + asset.browser_download_url + for asset in release.get_assets() + if asset.name == filename + ) + except StopIteration: + raise KeyError(filename) + + try: + patch_url = find_asset(f'{name}.patch') + sig_url = find_asset(f'{name}.patch.sig') + except KeyError: + print(f'error: {name}.patch{{,sig}} not present', file=sys.stderr) + return None + + sha256, patch_path = nix_prefetch_url(patch_url) + _, sig_path = nix_prefetch_url(sig_url) + sig_ok = verify_openpgp_signature( + name=name, + trusted_key=HARDENED_TRUSTED_KEY, + sig_path=sig_path, + data_path=patch_path, + ) + if not sig_ok: + return None + + return { + 'url': patch_url, + 'sha256': sha256, + } + +def commit_patches(*, kernel_version, message): + with open(HARDENED_PATCHES_PATH + '.new', 'w') as new_patches_file: + json.dump(patches, new_patches_file, indent=4, sort_keys=True) + new_patches_file.write('\n') + os.rename(HARDENED_PATCHES_PATH + '.new', HARDENED_PATCHES_PATH) + message = f'linux/hardened-patches/{kernel_version}: {message}' + print(message) + if os.environ.get('COMMIT'): + run( + 'git', '-C', HERE, 'commit', f'--message={message}', + 'hardened-patches.json', + ) + +# Load the existing patches. +with open(HARDENED_PATCHES_PATH) as patches_file: + patches = json.load(patches_file) + +NIX_VERSION_RE = re.compile(r''' + \s* version \s* = + \s* " (?P [^"]*) " + \s* ; \s* \n +''', re.VERBOSE) + +# Get the set of currently packaged kernel versions. +kernel_versions = set() +for filename in os.listdir(HERE): + filename_match = re.fullmatch(r'linux-(\d+)\.(\d+)\.nix', filename) + if filename_match: + if tuple(int(v) for v in filename_match.groups()) < MIN_KERNEL: + continue + with open(os.path.join(HERE, filename)) as nix_file: + for nix_line in nix_file: + match = NIX_VERSION_RE.fullmatch(nix_line) + if match: + kernel_versions.add(match.group('version')) + +# Remove patches for old kernel versions. +for kernel_version in patches.keys() - kernel_versions: + del patches[kernel_version] + commit_patches(kernel_version=kernel_version, message='remove') + +g = Github(os.environ.get('GITHUB_TOKEN')) +repo = g.get_repo(HARDENED_GITHUB_REPO) +releases = repo.get_releases() + +found_kernel_versions = set() +failures = False + +for release in releases: + remaining_kernel_versions = kernel_versions - found_kernel_versions + + if not remaining_kernel_versions: + break + + version = release.tag_name + name = f'linux-hardened-{version}' + version_info = parse_version(version) + if not version_info: + continue + kernel_version, version_suffix = version_info + + if kernel_version in remaining_kernel_versions: + found_kernel_versions.add(kernel_version) + try: + old_version_suffix = patches[kernel_version]['version_suffix'] + old_version = f'{kernel_version}.{old_version_suffix}' + update = old_version_suffix < version_suffix + except KeyError: + update = True + old_version = None + + if update: + patch = fetch_patch(name=name, release=release) + if patch is None: + failures = True + else: + patch['version_suffix'] = version_suffix + patches[kernel_version] = patch + if old_version: + message = f'{old_version} -> {version}' + else: + message = f'init at {version}' + commit_patches(kernel_version=kernel_version, message=message) + +missing_kernel_versions = kernel_versions - patches.keys() + +if missing_kernel_versions: + print( + f'warning: no patches for kernel versions ' + + ', '.join(missing_kernel_versions) + + '\nwarning: consider manually backporting older patches (bump ' + 'JSON key, set version_suffix to "NixOS-a")', + file=sys.stderr, + ) + +if failures: + sys.exit(1) diff --git a/pkgs/os-specific/linux/kernel/update.sh b/pkgs/os-specific/linux/kernel/update.sh index c7fcc07ea0a..c483661b6f5 100755 --- a/pkgs/os-specific/linux/kernel/update.sh +++ b/pkgs/os-specific/linux/kernel/update.sh @@ -60,3 +60,6 @@ done # Update linux-libre COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-libre.sh + +# Update linux-hardened +COMMIT=1 $NIXPKGS/pkgs/os-specific/linux/kernel/update-hardened.py diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 5ba9b723edd..b3158b1e9c6 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -249,6 +249,11 @@ mapAliases ({ links = links2; # added 2016-01-31 linux_rpi0 = linux_rpi1; linuxPackages_rpi0 = linuxPackages_rpi1; + + # added 2020-04-04 + linuxPackages_testing_hardened = throw "linuxPackages_testing_hardened has been removed, please use linuxPackages_latest_hardened"; + linux_testing_hardened = throw "linux_testing_hardened has been removed, please use linux_latest_hardened"; + loadcaffe = throw "loadcaffe has been removed, as the upstream project has been abandoned"; # added 2020-03-28 lttngTools = lttng-tools; # added 2014-07-31 lttngUst = lttng-ust; # added 2014-07-31 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 3cb27cf590e..63eb7e00d60 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -16978,7 +16978,10 @@ in inherit stdenv; inherit (kernel) version; }; - kernelPatches = kernel.kernelPatches ++ [ kernelPatches.tag_hardened ]; + kernelPatches = kernel.kernelPatches ++ [ + kernelPatches.tag_hardened + kernelPatches.hardened.${kernel.version} + ]; modDirVersionArg = kernel.modDirVersion + "-hardened"; }); @@ -16988,9 +16991,6 @@ in linuxPackages_latest_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_latest); linux_latest_hardened = linuxPackages_latest_hardened.kernel; - linuxPackages_testing_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor pkgs.linux_testing); - linux_testing_hardened = linuxPackages_testing_hardened.kernel; - linuxPackages_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor (pkgs.linux.override { features.xen_dom0=true; })); linuxPackages_latest_xen_dom0_hardened = recurseIntoAttrs (hardenedLinuxPackagesFor (pkgs.linux_latest.override { features.xen_dom0=true; })); From 7d5352df311dec624fed63d6988f9ac999547769 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 05:24:02 +0100 Subject: [PATCH 04/30] linux_*_hardened: don't set X86_X32 As far as I can tell, this has never defaulted to on upstream, and our common kernel configuration doesn't turn it on, so the attack surface reduction here is somewhat homeopathic. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 3010d87a178..7e6f514e19f 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -19,8 +19,6 @@ assert (versionAtLeast version "4.9"); optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory - # Reduce attack surface by disabling X32 - X86_X32 = no; # Note: this config depends on EXPERT y and so will not take effect, hence # it is left "optional" for now. MODIFY_LDT_SYSCALL = option no; From 3d4c8ae901585b3ad9de8a68df6c3ebaa4bde4df Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 05:28:38 +0100 Subject: [PATCH 05/30] linux_*_hardened: don't set VMAP_STACK This has been on by default upstream for as long as it's been an option. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 7e6f514e19f..302170f2f5c 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -22,7 +22,6 @@ optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { # Note: this config depends on EXPERT y and so will not take effect, hence # it is left "optional" for now. MODIFY_LDT_SYSCALL = option no; - VMAP_STACK = yes; # Catch kernel stack overflows # Randomize position of kernel and memory. RANDOMIZE_BASE = yes; From 8efe83c22e8c7a33847255bec30c4a9d5be8abe9 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 22:52:42 +0100 Subject: [PATCH 06/30] linux_*_hardened: don't set DEFAULT_MMAP_MIN_ADDR Upstreamed in anthraxx/linux-hardened@f1fe0a64dd532551b048d97b35473c25809f7a0f. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 302170f2f5c..154365a5be5 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -17,8 +17,6 @@ with (stdenv.lib.kernel.whenHelpers version); assert (versionAtLeast version "4.9"); optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { - DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory - # Note: this config depends on EXPERT y and so will not take effect, hence # it is left "optional" for now. MODIFY_LDT_SYSCALL = option no; From 8c68055432d501d604e906dfca242eed60c48e35 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 22:55:15 +0100 Subject: [PATCH 07/30] linux_*_hardened: don't set MODIFY_LDT_SYSCALL Upstreamed in anthraxx/linux-hardened@05644876fa5dc3a67a8ea4b396e2214a2f8e8411. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 154365a5be5..75cfd68ef0d 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -17,10 +17,6 @@ with (stdenv.lib.kernel.whenHelpers version); assert (versionAtLeast version "4.9"); optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { - # Note: this config depends on EXPERT y and so will not take effect, hence - # it is left "optional" for now. - MODIFY_LDT_SYSCALL = option no; - # Randomize position of kernel and memory. RANDOMIZE_BASE = yes; RANDOMIZE_MEMORY = yes; From 130f6812be4a3ea5ea7ed5403f1741bf8ffe1e19 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 22:57:15 +0100 Subject: [PATCH 08/30] linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY} These are on by default for x86 in upstream linux-5.6.2, and turned on for arm64 by anthraxx/linux-hardened@90f9670bc3696f564ac2e874a2b80046b90ea49f. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 75cfd68ef0d..50bc120ff0f 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -17,10 +17,6 @@ with (stdenv.lib.kernel.whenHelpers version); assert (versionAtLeast version "4.9"); optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { - # Randomize position of kernel and memory. - RANDOMIZE_BASE = yes; - RANDOMIZE_MEMORY = yes; - # Disable legacy virtual syscalls by default (modern glibc use vDSO instead). # # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism, From db6b3275086f2d27d5d419af7f6025cf1fc70d65 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 22:58:45 +0100 Subject: [PATCH 09/30] linux_*_hardened: don't set LEGACY_VSYSCALL_NONE Upstreamed in anthraxx/linux-hardened@d300b0fdad706daab3a36a8d23b35ebe03c3fc87. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 50bc120ff0f..589dc50892a 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -16,14 +16,7 @@ with (stdenv.lib.kernel.whenHelpers version); assert (versionAtLeast version "4.9"); -optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { - # Disable legacy virtual syscalls by default (modern glibc use vDSO instead). - # - # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism, - # which is supposed to be safer than the native variant (wrt. ret2libc), so - # disabling it mainly helps reduce surface. - LEGACY_VSYSCALL_NONE = yes; -} // { +{ # Report BUG() conditions and kill the offending process. BUG = yes; From 33b94e5a44cbd80af7438353b7cfd9935830a519 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:00:52 +0100 Subject: [PATCH 10/30] linux_*_hardened: don't set BUG_ON_DATA_CORRUPTION Upstreamed in anthraxx/linux-hardened@3fcd15014c8e99828de0f946611d715411dc611d. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 589dc50892a..68a15291747 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -20,8 +20,6 @@ assert (versionAtLeast version "4.9"); # Report BUG() conditions and kill the offending process. BUG = yes; - BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes; - # Safer page access permissions (wrt. code injection). Default on >=4.11. DEBUG_RODATA = whenOlder "4.11" yes; DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; From 303bb60fb1c5332e478d684cdf382245e57db8a5 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:01:32 +0100 Subject: [PATCH 11/30] linux_*_hardened: don't set DEBUG_WX Upstreamed in anthraxx/linux-hardened@55ee7417f305835e6e0880ecf0b1aa334f7aabf4. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 68a15291747..4e1c79b477e 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -35,7 +35,6 @@ assert (versionAtLeast version "4.9"); SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no; SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no); - DEBUG_WX = yes; # boot-time warning on RWX mappings STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; # Stricter /dev/mem From 0611462e3350df51a1eeab9fa72d181730105cb9 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:02:31 +0100 Subject: [PATCH 12/30] linux_*_hardened: don't set {,IO_}STRICT_DEVMEM STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is turned on by anthraxx/linux-hardened@103d23cb6645c1110fa33f2ce1ed1bba2b094081. Note that anthraxx/linux-hardened@db1d27e10e0e624632ecda9e72abb9ab126da4ce disables DEVMEM by default, so this is only relevant if that default is overridden to turn it back on. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 4e1c79b477e..14503854d3e 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -37,10 +37,6 @@ assert (versionAtLeast version "4.9"); STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; - # Stricter /dev/mem - STRICT_DEVMEM = option yes; - IO_STRICT_DEVMEM = option yes; - # Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS = yes; DEBUG_NOTIFIERS = yes; From 3eeb5240ac1f01f2adf8f0947bbb73cf36af8dc4 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:04:48 +0100 Subject: [PATCH 13/30] linux_*_hardened: don't set DEBUG_LIST Upstreamed in anthraxx/linux-hardened@6b20124185e0548c1791bc8b7fde053de4fda269. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 14503854d3e..d322f239c32 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -40,7 +40,6 @@ assert (versionAtLeast version "4.9"); # Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS = yes; DEBUG_NOTIFIERS = yes; - DEBUG_LIST = yes; DEBUG_PI_LIST = yes; # doesn't BUG() DEBUG_SG = yes; SCHED_STACK_END_CHECK = yes; From 4fb796e34129934ed9c26c64beb1a0f93639957e Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:05:28 +0100 Subject: [PATCH 14/30] linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK Upstreamed in anthraxx/linux-hardened@c1fe7a68e368d05e109e69ee3491da69093883a3, anthraxx/linux-hardened@2c553a2bb115211c8e1c97eb8c949320aeb29a1d. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index d322f239c32..f718235c625 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -46,10 +46,6 @@ assert (versionAtLeast version "4.9"); REFCOUNT_FULL = whenAtLeast "4.13" yes; - # Perform usercopy bounds checking. - HARDENED_USERCOPY = yes; - HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement - # Randomize allocator freelists. SLAB_FREELIST_RANDOM = yes; From 0d5f1697b78a5d8dc7d0f2a25e71ecca4021b257 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:06:05 +0100 Subject: [PATCH 15/30] linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED} Upstreamed in anthraxx/linux-hardened@786126f177aba14110394be49b404beba061292f, anthraxx/linux-hardened@44822ebeb7c3ede030c58cc64fc1c8e8489c9063. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index f718235c625..20911714b90 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -46,11 +46,6 @@ assert (versionAtLeast version "4.9"); REFCOUNT_FULL = whenAtLeast "4.13" yes; - # Randomize allocator freelists. - SLAB_FREELIST_RANDOM = yes; - - SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes; - # Randomize page allocator when page_alloc.shuffle=1 SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes; From ed89b5b3f121920b811cfe1e705947fcd7cdb110 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:06:40 +0100 Subject: [PATCH 16/30] linux_*_hardened: don't set PANIC_ON_OOPS Upstreamed in anthraxx/linux-hardened@366e0216f15b7007c1f8b7ca86df681cbc22b50a. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 20911714b90..63ed2219f48 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -61,7 +61,6 @@ assert (versionAtLeast version "4.9"); SECURITY_SAFESETID = whenAtLeast "5.1" yes; # Reboot devices immediately if kernel experiences an Oops. - PANIC_ON_OOPS = yes; PANIC_TIMEOUT = freeform "-1"; GCC_PLUGINS = yes; # Enable gcc plugin options From 7fdfe5381d338c6f8fae6752b69055401e170627 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:08:09 +0100 Subject: [PATCH 17/30] linux_*_hardened: don't set FORTIFY_SOURCE Upstreamed in anthraxx/linux-hardened@d12c0d5f0c43f299634af7268f63929c1aaa10ee. --- pkgs/os-specific/linux/kernel/hardened-config.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 63ed2219f48..95510fe218e 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -82,7 +82,4 @@ assert (versionAtLeast version "4.9"); CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no; CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes; - # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE - FORTIFY_SOURCE = whenAtLeast "4.13" yes; - } From 3b32cd2a5b951a82e37c2d8f9069ac3f12d62868 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 05:55:58 +0100 Subject: [PATCH 18/30] nixos/hardened: don't set slab_nomerge Upstreamed in anthraxx/linux-hardened@df29f9248c6b2459dcaae216dc6f4751fab4ff3b. --- nixos/modules/profiles/hardened.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 35743d83134..49cd3504aa0 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -37,9 +37,6 @@ with lib; # Slab/slub sanity checks, redzoning, and poisoning "slub_debug=FZP" - # Disable slab merging to make certain heap overflow attacks harder - "slab_nomerge" - # Overwrite free'd memory "page_poison=1" From cf1bce6a7ada476671277ac5bffe132891ece0d8 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 05:56:58 +0100 Subject: [PATCH 19/30] nixos/hardened: don't set vsyscall=none Upstreamed in anthraxx/linux-hardened@d300b0fdad706daab3a36a8d23b35ebe03c3fc87. --- nixos/modules/profiles/hardened.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 49cd3504aa0..8a2763faec0 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -40,9 +40,6 @@ with lib; # Overwrite free'd memory "page_poison=1" - # Disable legacy virtual syscalls - "vsyscall=none" - # Enable page allocator randomization "page_alloc.shuffle=1" ]; From 9da578a78f6f442a193bd15af3c1c4544b1ff156 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 04:57:03 +0100 Subject: [PATCH 20/30] nixos/hardened: don't set kernel.dmesg_restrict Upstreamed in anthraxx/linux-hardened@e3d3f13ffb1a5ff507a8ecae52e3d1fa05d30a07. --- nixos/modules/profiles/hardened.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 8a2763faec0..052909d63f5 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -76,9 +76,6 @@ with lib; # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; - # Restrict access to kernel ring buffer (information leaks) - boot.kernel.sysctl."kernel.dmesg_restrict" = mkDefault true; - # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; From 71bbd876b743a98affd89dfe097c15a1048a63bf Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:12:06 +0100 Subject: [PATCH 21/30] nixos/hardened: don't set kernel.unprivileged_bpf_disabled Upstreamed in anthraxx/linux-hardened@1a3e0c283028533527595a91d9504d2b7eabc977. --- nixos/modules/profiles/hardened.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 052909d63f5..8889c6440f4 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -79,10 +79,6 @@ with lib; # Hide kptrs even for processes with CAP_SYSLOG boot.kernel.sysctl."kernel.kptr_restrict" = mkOverride 500 2; - # Unprivileged access to bpf() has been used for privilege escalation in - # the past - boot.kernel.sysctl."kernel.unprivileged_bpf_disabled" = mkDefault true; - # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; From af4f57b2c4b969c9bc72527dbbd970564ee8d90b Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:12:44 +0100 Subject: [PATCH 22/30] nixos/hardened: don't set net.core.bpf_jit_harden Upstreamed in anthraxx/linux-hardened@82e384401d441d42efad9830ab31650a7ea571db. --- nixos/modules/profiles/hardened.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 8889c6440f4..692afbff660 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -82,9 +82,6 @@ with lib; # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # ... or at least apply some hardening to it - boot.kernel.sysctl."net.core.bpf_jit_harden" = mkDefault true; - # Raise ASLR entropy for 64bit & 32bit, respectively. # # Note: mmap_rnd_compat_bits may not exist on 64bit. From 46d12cca561165142580ccdc39eb97d0ee5b240d Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 04:07:51 +0100 Subject: [PATCH 23/30] nixos/hardened: don't set vm.mmap_rnd{,_compat}_bits Upstreamed in anthraxx/linux-hardened@ae6d85f437dddf8f5a9076019cdfbb7788a9c154. --- nixos/modules/profiles/hardened.nix | 6 ------ 1 file changed, 6 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 692afbff660..33b62589b99 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -82,12 +82,6 @@ with lib; # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # Raise ASLR entropy for 64bit & 32bit, respectively. - # - # Note: mmap_rnd_compat_bits may not exist on 64bit. - boot.kernel.sysctl."vm.mmap_rnd_bits" = mkDefault 32; - boot.kernel.sysctl."vm.mmap_rnd_compat_bits" = mkDefault 16; - # Allowing users to mmap() memory starting at virtual address 0 can turn a # NULL dereference bug in the kernel into code execution with elevated # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory From cc28d51237d39fa5f7de57f836fe2a0cf46e6182 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 22:52:42 +0100 Subject: [PATCH 24/30] nixos/hardened: don't set vm.mmap_min_addr Upstreamed in anthraxx/linux-hardened@f1fe0a64dd532551b048d97b35473c25809f7a0f. --- nixos/modules/profiles/hardened.nix | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 33b62589b99..1747e962f02 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -82,16 +82,6 @@ with lib; # Disable bpf() JIT (to eliminate spray attacks) boot.kernel.sysctl."net.core.bpf_jit_enable" = mkDefault false; - # Allowing users to mmap() memory starting at virtual address 0 can turn a - # NULL dereference bug in the kernel into code execution with elevated - # privilege. Mitigate by enforcing a minimum base addr beyond the NULL memory - # space. This breaks applications that require mapping the 0 page, such as - # dosemu or running 16bit applications under wine. It also breaks older - # versions of qemu. - # - # The value is taken from the KSPP recommendations (Debian uses 4096). - boot.kernel.sysctl."vm.mmap_min_addr" = mkDefault 65536; - # Disable ftrace debugging boot.kernel.sysctl."kernel.ftrace_enabled" = mkDefault false; From 84f258bf096275fffbc95328e33ed981a677db68 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 05:04:43 +0100 Subject: [PATCH 25/30] nixos/hardened: don't set vm.unprivileged_userfaultfd Upstreamed in anthraxx/linux-hardened@a712392b88b3cbc8385fd97be87a43db2ad7ecf0. --- nixos/modules/profiles/hardened.nix | 3 --- 1 file changed, 3 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 1747e962f02..09a1dd54333 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -108,7 +108,4 @@ with lib; # Ignore outgoing ICMP redirects (this is ipv4 only) boot.kernel.sysctl."net.ipv4.conf.all.send_redirects" = mkDefault false; boot.kernel.sysctl."net.ipv4.conf.default.send_redirects" = mkDefault false; - - # Restrict userfaultfd syscalls to processes with the SYS_PTRACE capability - boot.kernel.sysctl."vm.unprivileged_userfaultfd" = mkDefault false; } From ad9bfe2254e6205f94baa9c988063b0737911a23 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:13:27 +0100 Subject: [PATCH 26/30] nixos/hardened: enable user namespaces for root linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see anthraxx/linux-hardened@104f44058f058a395502192c4939645df6f52ecb. This allows the Nix sandbox to function while reducing the attack surface posed by user namespaces, which allow unprivileged code to exercise lots of root-only code paths and have lead to privilege escalation vulnerabilities in the past. We can safely leave user namespaces on for privileged users, as root already has root privileges, but if you're not running builds on your machine and really want to minimize the kernel attack surface then you can set security.allowUserNamespaces to false. Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or setuid, and Firefox's silently reduces the security level if it isn't allowed (see about:support), so desktop users may want to set: boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true; --- nixos/modules/profiles/hardened.nix | 2 -- nixos/tests/hardened.nix | 3 ++- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 09a1dd54333..c771a4ed328 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -21,8 +21,6 @@ with lib; security.lockKernelModules = mkDefault true; - security.allowUserNamespaces = mkDefault false; - security.protectKernelImage = mkDefault true; security.allowSimultaneousMultithreading = mkDefault false; diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index cbf76f9e558..21bc9308aaa 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -76,7 +76,8 @@ import ./make-test.nix ({ pkgs, ...} : { # Test userns subtest "userns", sub { - $machine->fail("unshare --user"); + $machine->succeed("unshare --user true"); + $machine->fail("su -l alice -c 'unshare --user true'"); }; # Test dmesg restriction From b0d5032ee4a1cee1fb9e521326114350ad414573 Mon Sep 17 00:00:00 2001 From: Emily Date: Sat, 4 Apr 2020 23:58:54 +0100 Subject: [PATCH 27/30] nixos/hardened: add emily to maintainers --- nixos/modules/profiles/hardened.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index c771a4ed328..ef8c0d74f06 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -7,7 +7,7 @@ with lib; { meta = { - maintainers = [ maintainers.joachifm ]; + maintainers = [ maintainers.joachifm maintainers.emily ]; }; boot.kernelPackages = mkDefault pkgs.linuxPackages_hardened; From fe031d07f82fe87c3f258daf9085040d9ff9e49f Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 00:29:24 +0100 Subject: [PATCH 28/30] nixos/tests/hardened: add latestKernel argument --- nixos/tests/all-tests.nix | 1 + nixos/tests/hardened.nix | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5adfd6afd6a..e52eb0d5482 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -160,6 +160,7 @@ in # kubernetes.e2e should eventually replace kubernetes.rbac when it works #kubernetes.e2e = handleTestOn ["x86_64-linux"] ./kubernetes/e2e.nix {}; kubernetes.rbac = handleTestOn ["x86_64-linux"] ./kubernetes/rbac.nix {}; + latestKernel.hardened = handleTest ./hardened.nix { latestKernel = true; }; latestKernel.login = handleTest ./login.nix { latestKernel = true; }; ldap = handleTest ./ldap.nix {}; leaps = handleTest ./leaps.nix {}; diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix index 21bc9308aaa..5ed0dfcf9ab 100644 --- a/nixos/tests/hardened.nix +++ b/nixos/tests/hardened.nix @@ -1,4 +1,4 @@ -import ./make-test.nix ({ pkgs, ...} : { +import ./make-test.nix ({ pkgs, latestKernel ? false, ... } : { name = "hardened"; meta = with pkgs.stdenv.lib.maintainers; { maintainers = [ joachifm ]; @@ -10,6 +10,8 @@ import ./make-test.nix ({ pkgs, ...} : { { users.users.alice = { isNormalUser = true; extraGroups = [ "proc" ]; }; users.users.sybil = { isNormalUser = true; group = "wheel"; }; imports = [ ../modules/profiles/hardened.nix ]; + boot.kernelPackages = + lib.mkIf latestKernel pkgs.linuxPackages_latest_hardened; environment.memoryAllocator.provider = "graphene-hardened"; nix.useSandbox = false; virtualisation.emptyDiskImages = [ 4096 ]; @@ -23,7 +25,9 @@ import ./make-test.nix ({ pkgs, ...} : { options = [ "noauto" ]; }; }; - boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + boot.extraModulePackages = + optional (versionOlder config.boot.kernelPackages.kernel.version "5.6") + config.boot.kernelPackages.wireguard; boot.kernelModules = [ "wireguard" ]; }; From e133e396df9f5a466f2de592dd0b429dee62c959 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 00:30:30 +0100 Subject: [PATCH 29/30] nixos/release-{small,combined}: add latestKernel.login Seems like a good idea to ensure that you can always use the latest stable upstream kernel. --- nixos/release-combined.nix | 1 + nixos/release-small.nix | 1 + 2 files changed, 2 insertions(+) diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 02f19610f8a..9d16c013f46 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -96,6 +96,7 @@ in rec { (onFullSupported "nixos.tests.keymap.dvp") (onFullSupported "nixos.tests.keymap.neo") (onFullSupported "nixos.tests.keymap.qwertz") + (onFullSupported "nixos.tests.latestKernel.login") (onFullSupported "nixos.tests.lightdm") (onFullSupported "nixos.tests.login") (onFullSupported "nixos.tests.misc") diff --git a/nixos/release-small.nix b/nixos/release-small.nix index 6da2c59cedd..ed7bbd81138 100644 --- a/nixos/release-small.nix +++ b/nixos/release-small.nix @@ -101,6 +101,7 @@ in rec { "nixos.tests.installer.separateBoot.x86_64-linux" "nixos.tests.installer.simple.x86_64-linux" "nixos.tests.ipv6.x86_64-linux" + "nixos.tests.latestKernel.login.x86_64-linux" "nixos.tests.login.x86_64-linux" "nixos.tests.misc.x86_64-linux" "nixos.tests.nat.firewall-conntrack.x86_64-linux" From 2e31fb407eeea4ffb8428634f3c5695b747b7ec5 Mon Sep 17 00:00:00 2001 From: Emily Date: Sun, 5 Apr 2020 00:32:38 +0100 Subject: [PATCH 30/30] nixos/release-combined: add {,latestKernel.}hardened These now depend on an external patch set; add them to the release tests to ensure that the build doesn't break silently as new kernel updates are merged. --- nixos/release-combined.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/nixos/release-combined.nix b/nixos/release-combined.nix index 9d16c013f46..87783c66095 100644 --- a/nixos/release-combined.nix +++ b/nixos/release-combined.nix @@ -75,6 +75,7 @@ in rec { (onFullSupported "nixos.tests.fontconfig-default-fonts") (onFullSupported "nixos.tests.gnome3") (onFullSupported "nixos.tests.gnome3-xorg") + (onFullSupported "nixos.tests.hardened") (onSystems ["x86_64-linux"] "nixos.tests.hibernate") (onFullSupported "nixos.tests.i3wm") (onSystems ["x86_64-linux"] "nixos.tests.installer.btrfsSimple") @@ -96,6 +97,7 @@ in rec { (onFullSupported "nixos.tests.keymap.dvp") (onFullSupported "nixos.tests.keymap.neo") (onFullSupported "nixos.tests.keymap.qwertz") + (onFullSupported "nixos.tests.latestKernel.hardened") (onFullSupported "nixos.tests.latestKernel.login") (onFullSupported "nixos.tests.lightdm") (onFullSupported "nixos.tests.login")