From f963014829a20c61968ec9ae90e8b112cb065380 Mon Sep 17 00:00:00 2001 From: Joachim Fasting Date: Sun, 6 Aug 2017 20:27:52 +0200 Subject: [PATCH] linux-hardened-config: various fixups Note - the kernel config parser ignores "# foo is unset" comments so they have no effect; disabling kernel modules would break *everything* and so is ill-suited for a general-purpose kernel anyway --- the hardened nixos profile provides a more flexible solution - removed some overlap with the common config (SECCOMP is *required* by systemd; YAMA is enabled by default). - MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks the build; fix by making it optional - restored some original comments which I feel are clearer --- .../linux/kernel/hardened-config.nix | 46 ++++++++----------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 7c5593a4df2..579fb2947ec 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -5,6 +5,8 @@ # Dangerous features that can be permanently (for the boot session) disabled at # boot via sysctl or kernel cmdline are left enabled here, for improved # flexibility. +# +# See also { stdenv, version }: @@ -22,7 +24,7 @@ ${optionalString (stdenv.system == "x86_64-linux") '' # Reduce attack surface by disabling various emulations IA32_EMULATION n X86_X32 n - MODIFY_LDT_SYSCALL n + MODIFY_LDT_SYSCALL? n VMAP_STACK y # Catch kernel stack overflows @@ -30,45 +32,33 @@ ${optionalString (stdenv.system == "x86_64-linux") '' RANDOMIZE_BASE y RANDOMIZE_MEMORY y - # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target. + # Disable legacy virtual syscalls by default (modern glibc use vDSO instead). + # + # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism, + # which is supposed to be safer than the native variant (wrt. ret2libc), so + # disabling it mainly helps reduce surface. LEGACY_VSYSCALL_NONE y ''} -# Make sure kernel page tables have safe permissions. -DEBUG_KERNEL y - +# Safer page access permissions (wrt. code injection). Default on >=4.11. ${optionalString (versionOlder version "4.11") '' DEBUG_RODATA y DEBUG_SET_MODULE_RONX y ''} -${optionalString (versionAtLeast version "4.11") '' - GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin -''} +DEBUG_WX y # boot-time warning on RWX mappings -# Report any dangerous memory permissions (not available on all archs). -DEBUG_WX y - -# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...) -# DEVMEM is not set +# Stricter /dev/mem STRICT_DEVMEM y IO_STRICT_DEVMEM y -# Perform additional validation of various commonly targeted structures. +# Perform additional validation of commonly targeted structures. DEBUG_CREDENTIALS y DEBUG_NOTIFIERS y DEBUG_LIST y DEBUG_SG y -BUG_ON_DATA_CORRUPTION y SCHED_STACK_END_CHECK y - -# Provide userspace with seccomp BPF API for syscall attack surface reduction. -SECCOMP y -SECCOMP_FILTER y - -# Provide userspace with ptrace ancestry protections. -SECURITY y -SECURITY_YAMA y +BUG_ON_DATA_CORRUPTION y # Perform usercopy bounds checking. HARDENED_USERCOPY y @@ -76,8 +66,7 @@ HARDENED_USERCOPY y # Randomize allocator freelists. SLAB_FREELIST_RANDOM y -# Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below). -# (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n) +# Wipe higher-level memory allocations on free() with page_poison=1 PAGE_POISONING y PAGE_POISONING_NO_SANITY y PAGE_POISONING_ZERO y @@ -86,11 +75,12 @@ PAGE_POISONING_ZERO y PANIC_ON_OOPS y PANIC_TIMEOUT -1 -# Keep root from altering kernel memory via loadable modules. -# MODULES is not set - GCC_PLUGINS y # Enable gcc plugin options +${optionalString (versionAtLeast version "4.11") '' + GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin +''} + # Disable various dangerous settings ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory PROC_KCORE n # Exposes kernel text image layout