From 87bc514620998a3e64278a3eadbe660c51bafabe Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Tue, 7 May 2019 11:08:36 +0200 Subject: [PATCH] hardened-config: enable the SafeSetID LSM The purpose of this LSM is to allow processes to drop to a less privileged user id without having to grant them full CAP_SETUID (or use file caps). The LSM allows configuring a whitelist policy of permitted from:to uid transitions. The policy is enforced upon calls to setuid(2) and related syscalls. Policies are configured through securityfs by writing to - safesetid/add_whitelist_policy ; and - safesetid/flush_whitelist_policies A process attempting a transition not permitted by current policy is killed (to avoid accidentally running with higher privileges than intended). A uid that has a configured policy is prevented from obtaining auxiliary setuid privileges (e.g., setting up user namespaces). See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html --- pkgs/os-specific/linux/kernel/hardened-config.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index f1f18c64130..79ee27c52b5 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -91,6 +91,9 @@ optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { PAGE_POISONING_NO_SANITY = yes; PAGE_POISONING_ZERO = yes; + # Enable the SafeSetId LSM + SECURITY_SAFESETID = whenAtLeast "5.1" yes; + # Reboot devices immediately if kernel experiences an Oops. PANIC_ON_OOPS = yes; PANIC_TIMEOUT = freeform "-1";