linux: convert hardened-config to a structured one
This commit is contained in:
parent
3bb7b3f02e
commit
7aacbdb898
|
@ -32,7 +32,6 @@ let
|
|||
modules = callLibs ./modules.nix;
|
||||
options = callLibs ./options.nix;
|
||||
types = callLibs ./types.nix;
|
||||
kernel = callLibs ./kernel.nix;
|
||||
|
||||
# constants
|
||||
licenses = callLibs ./licenses.nix;
|
||||
|
|
|
@ -1,7 +1,12 @@
|
|||
{ lib }:
|
||||
{ lib, version }:
|
||||
|
||||
with lib;
|
||||
rec {
|
||||
# Common patterns/legacy
|
||||
whenAtLeast = ver: mkIf (versionAtLeast version ver);
|
||||
whenOlder = ver: mkIf (versionOlder version ver);
|
||||
# range is (inclusive, exclusive)
|
||||
whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
|
||||
|
||||
|
||||
# Keeping these around in case we decide to change this horrible implementation :)
|
||||
|
|
|
@ -17,14 +17,9 @@
|
|||
|
||||
with stdenv.lib;
|
||||
|
||||
with import ../../../../lib/kernel.nix { inherit (stdenv) lib; };
|
||||
with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; };
|
||||
|
||||
let
|
||||
# Common patterns/legacy
|
||||
when = cond: opt: if cond then opt else null;
|
||||
whenAtLeast = ver: mkIf (versionAtLeast version ver);
|
||||
whenOlder = ver: mkIf (versionOlder version ver);
|
||||
whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
|
||||
|
||||
# configuration items have to be part of a subattrs
|
||||
flattenKConf = nested: mapAttrs (_: head) (zipAttrs (attrValues nested));
|
||||
|
@ -420,7 +415,7 @@ let
|
|||
KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; };
|
||||
KVM_DEVICE_ASSIGNMENT = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; };
|
||||
KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0" yes;
|
||||
KVM_GUEST = when (!features.grsecurity) yes;
|
||||
KVM_GUEST = mkIf (!features.grsecurity) yes;
|
||||
KVM_MMIO = yes;
|
||||
KVM_VFIO = yes;
|
||||
KSM = yes;
|
||||
|
|
|
@ -11,138 +11,110 @@
|
|||
{ stdenv, version }:
|
||||
|
||||
with stdenv.lib;
|
||||
with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; };
|
||||
|
||||
assert (versionAtLeast version "4.9");
|
||||
|
||||
''
|
||||
# Report BUG() conditions and kill the offending process.
|
||||
BUG y
|
||||
|
||||
${optionalString (versionAtLeast version "4.10") ''
|
||||
BUG_ON_DATA_CORRUPTION y
|
||||
''}
|
||||
|
||||
${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") ''
|
||||
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
|
||||
optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") {
|
||||
DEFAULT_MMAP_MIN_ADDR = freeform "65536"; # Prevent allocation of first 64K of memory
|
||||
|
||||
# Reduce attack surface by disabling various emulations
|
||||
IA32_EMULATION n
|
||||
X86_X32 n
|
||||
IA32_EMULATION = no;
|
||||
X86_X32 = no;
|
||||
# Note: this config depends on EXPERT y and so will not take effect, hence
|
||||
# it is left "optional" for now.
|
||||
MODIFY_LDT_SYSCALL? n
|
||||
|
||||
VMAP_STACK y # Catch kernel stack overflows
|
||||
MODIFY_LDT_SYSCALL = option no;
|
||||
VMAP_STACK = yes; # Catch kernel stack overflows
|
||||
|
||||
# Randomize position of kernel and memory.
|
||||
RANDOMIZE_BASE y
|
||||
RANDOMIZE_MEMORY y
|
||||
RANDOMIZE_BASE = yes;
|
||||
RANDOMIZE_MEMORY = yes;
|
||||
|
||||
# Disable legacy virtual syscalls by default (modern glibc use vDSO instead).
|
||||
#
|
||||
# Note that the vanilla default is to *emulate* the legacy vsyscall mechanism,
|
||||
# which is supposed to be safer than the native variant (wrt. ret2libc), so
|
||||
# disabling it mainly helps reduce surface.
|
||||
LEGACY_VSYSCALL_NONE y
|
||||
''}
|
||||
LEGACY_VSYSCALL_NONE = yes;
|
||||
} // {
|
||||
# Report BUG() conditions and kill the offending process.
|
||||
BUG = yes;
|
||||
|
||||
# Safer page access permissions (wrt. code injection). Default on >=4.11.
|
||||
${optionalString (versionOlder version "4.11") ''
|
||||
DEBUG_RODATA y
|
||||
DEBUG_SET_MODULE_RONX y
|
||||
''}
|
||||
BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes;
|
||||
|
||||
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
||||
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
||||
# implicitly marks LSM hooks read-only after init.
|
||||
#
|
||||
# SELinux can only be disabled at boot via selinux=0
|
||||
#
|
||||
# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
|
||||
# config builder fails to detect that it has indeed been unset.
|
||||
${optionalString (versionAtLeast version "4.12") ''
|
||||
SECURITY_SELINUX_DISABLE n
|
||||
SECURITY_WRITABLE_HOOKS? n
|
||||
''}
|
||||
# Safer page access permissions (wrt. code injection). Default on >=4.11.
|
||||
DEBUG_RODATA = whenOlder "4.11" yes;
|
||||
DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;
|
||||
|
||||
DEBUG_WX y # boot-time warning on RWX mappings
|
||||
${optionalString (versionAtLeast version "4.11") ''
|
||||
STRICT_KERNEL_RWX y
|
||||
''}
|
||||
# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n
|
||||
# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
|
||||
# implicitly marks LSM hooks read-only after init.
|
||||
#
|
||||
# SELinux can only be disabled at boot via selinux=0
|
||||
#
|
||||
# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
|
||||
# config builder fails to detect that it has indeed been unset.
|
||||
SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
|
||||
SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no);
|
||||
|
||||
# Stricter /dev/mem
|
||||
STRICT_DEVMEM? y
|
||||
IO_STRICT_DEVMEM? y
|
||||
DEBUG_WX = yes; # boot-time warning on RWX mappings
|
||||
STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;
|
||||
|
||||
# Perform additional validation of commonly targeted structures.
|
||||
DEBUG_CREDENTIALS y
|
||||
DEBUG_NOTIFIERS y
|
||||
DEBUG_LIST y
|
||||
DEBUG_PI_LIST y # doesn't BUG()
|
||||
DEBUG_SG y
|
||||
SCHED_STACK_END_CHECK y
|
||||
# Stricter /dev/mem
|
||||
STRICT_DEVMEM = option yes;
|
||||
IO_STRICT_DEVMEM = option yes;
|
||||
|
||||
${optionalString (versionAtLeast version "4.13") ''
|
||||
REFCOUNT_FULL y
|
||||
''}
|
||||
# Perform additional validation of commonly targeted structures.
|
||||
DEBUG_CREDENTIALS = yes;
|
||||
DEBUG_NOTIFIERS = yes;
|
||||
DEBUG_LIST = yes;
|
||||
DEBUG_PI_LIST = yes; # doesn't BUG()
|
||||
DEBUG_SG = yes;
|
||||
SCHED_STACK_END_CHECK = yes;
|
||||
|
||||
# Perform usercopy bounds checking.
|
||||
HARDENED_USERCOPY y
|
||||
${optionalString (versionAtLeast version "4.16") ''
|
||||
HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement
|
||||
''}
|
||||
REFCOUNT_FULL = whenAtLeast "4.13" yes;
|
||||
|
||||
# Randomize allocator freelists.
|
||||
SLAB_FREELIST_RANDOM y
|
||||
# Perform usercopy bounds checking.
|
||||
HARDENED_USERCOPY = yes;
|
||||
HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement
|
||||
|
||||
${optionalString (versionAtLeast version "4.14") ''
|
||||
SLAB_FREELIST_HARDENED y
|
||||
''}
|
||||
# Randomize allocator freelists.
|
||||
SLAB_FREELIST_RANDOM = yes;
|
||||
|
||||
# Allow enabling slub/slab free poisoning with slub_debug=P
|
||||
SLUB_DEBUG y
|
||||
SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes;
|
||||
|
||||
# Wipe higher-level memory allocations on free() with page_poison=1
|
||||
PAGE_POISONING y
|
||||
PAGE_POISONING_NO_SANITY y
|
||||
PAGE_POISONING_ZERO y
|
||||
# Allow enabling slub/slab free poisoning with slub_debug=P
|
||||
SLUB_DEBUG = yes;
|
||||
|
||||
# Reboot devices immediately if kernel experiences an Oops.
|
||||
PANIC_ON_OOPS y
|
||||
PANIC_TIMEOUT -1
|
||||
# Wipe higher-level memory allocations on free() with page_poison=1
|
||||
PAGE_POISONING = yes;
|
||||
PAGE_POISONING_NO_SANITY = yes;
|
||||
PAGE_POISONING_ZERO = yes;
|
||||
|
||||
GCC_PLUGINS y # Enable gcc plugin options
|
||||
# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
|
||||
GCC_PLUGIN_LATENT_ENTROPY y
|
||||
# Reboot devices immediately if kernel experiences an Oops.
|
||||
PANIC_ON_OOPS = yes;
|
||||
PANIC_TIMEOUT = freeform "-1";
|
||||
|
||||
${optionalString (versionAtLeast version "4.11") ''
|
||||
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
|
||||
''}
|
||||
${optionalString (versionAtLeast version "4.14") ''
|
||||
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
|
||||
''}
|
||||
${optionalString (versionAtLeast version "4.20") ''
|
||||
GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
|
||||
''}
|
||||
GCC_PLUGINS = yes; # Enable gcc plugin options
|
||||
# Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
|
||||
GCC_PLUGIN_LATENT_ENTROPY = yes;
|
||||
|
||||
${optionalString (versionAtLeast version "4.13") ''
|
||||
GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
|
||||
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
|
||||
''}
|
||||
GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
|
||||
GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
|
||||
GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
|
||||
GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin
|
||||
GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;
|
||||
|
||||
# Disable various dangerous settings
|
||||
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
|
||||
PROC_KCORE n # Exposes kernel text image layout
|
||||
INET_DIAG n # Has been used for heap based attacks in the past
|
||||
# Disable various dangerous settings
|
||||
ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
|
||||
PROC_KCORE = no; # Exposes kernel text image layout
|
||||
INET_DIAG = no; # Has been used for heap based attacks in the past
|
||||
|
||||
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
|
||||
${optionalString (versionOlder version "4.18") ''
|
||||
CC_STACKPROTECTOR_REGULAR n
|
||||
CC_STACKPROTECTOR_STRONG y
|
||||
''}
|
||||
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
|
||||
CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
|
||||
CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;
|
||||
|
||||
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
|
||||
${optionalString (versionAtLeast version "4.13") ''
|
||||
FORTIFY_SOURCE y
|
||||
''}
|
||||
''
|
||||
# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
|
||||
FORTIFY_SOURCE = whenAtLeast "4.13" yes;
|
||||
|
||||
}
|
||||
|
|
|
@ -14757,6 +14757,7 @@ in
|
|||
hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
|
||||
features.ia32Emulation = false;
|
||||
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
||||
structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
||||
inherit stdenv;
|
||||
inherit (kernel) version;
|
||||
};
|
||||
|
|
Loading…
Reference in New Issue