linux: Expand hardened config

Based on latest recommendations at http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2017-08-05 15:38:17 -04:00 · 2017-08-05 15:38:17 -04:00 · ff10bafd00
commit ff10bafd00
parent e66c85d196
5 changed files with 91 additions and 39 deletions
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@ -13,42 +13,8 @@ with stdenv.lib;
 assert (versionAtLeast version "4.9");
 ''
-GCC_PLUGINS y # Enable gcc plugin options
+# Report BUG() conditions and kill the offending process.
-
+BUG y
 ${optionalString (versionAtLeast version "4.11") ''
  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
 ''}
 DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
 ${optionalString (versionAtLeast version "4.10") ''
  BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption
 ''}
 # Additional validation of commonly targetted structures
 DEBUG_CREDENTIALS y
 DEBUG_NOTIFIERS y
 DEBUG_LIST y
 DEBUG_SG y
 HARDENED_USERCOPY y # Bounds check usercopy
 # Wipe on free with page_poison=1
 PAGE_POISONING y
 PAGE_POISONING_NO_SANITY y
 PAGE_POISONING_ZERO y
 CC_STACKPROTECTOR_REGULAR n
 CC_STACKPROTECTOR_STRONG y
 # Stricter /dev/mem
 STRICT_DEVMEM y
 IO_STRICT_DEVMEM y
 # Disable various dangerous settings
 ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
 PROC_KCORE n # Exposes kernel text image layout
 INET_DIAG n # Has been used for heap based attacks in the past
 ${optionalString (stdenv.system == "x86_64-linux") ''
  DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
@ -56,8 +22,81 @@ ${optionalString (stdenv.system == "x86_64-linux") ''
  # Reduce attack surface by disabling various emulations
  IA32_EMULATION n
  X86_X32 n
  MODIFY_LDT_SYSCALL n
  VMAP_STACK y # Catch kernel stack overflows
  # Randomize position of kernel and memory.
  RANDOMIZE_BASE y
  RANDOMIZE_MEMORY y
  # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
  LEGACY_VSYSCALL_NONE y
 ''}
 # Make sure kernel page tables have safe permissions.
 DEBUG_KERNEL y
 ${optionalString (versionOlder version "4.11") ''
  DEBUG_RODATA y
  DEBUG_SET_MODULE_RONX y
 ''}
 ${optionalString (versionAtLeast version "4.11") ''
  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
 ''}
 # Report any dangerous memory permissions (not available on all archs).
 DEBUG_WX y
 # Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
 # DEVMEM is not set
 STRICT_DEVMEM y
 IO_STRICT_DEVMEM y
 # Perform additional validation of various commonly targeted structures.
 DEBUG_CREDENTIALS y
 DEBUG_NOTIFIERS y
 DEBUG_LIST y
 DEBUG_SG y
 BUG_ON_DATA_CORRUPTION y
 SCHED_STACK_END_CHECK y
 # Provide userspace with seccomp BPF API for syscall attack surface reduction.
 SECCOMP y
 SECCOMP_FILTER y
 # Provide userspace with ptrace ancestry protections.
 SECURITY y
 SECURITY_YAMA y
 # Perform usercopy bounds checking.
 HARDENED_USERCOPY y
 # Randomize allocator freelists.
 SLAB_FREELIST_RANDOM y
 # Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below).
 # (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n)
 PAGE_POISONING y
 PAGE_POISONING_NO_SANITY y
 PAGE_POISONING_ZERO y
 # Reboot devices immediately if kernel experiences an Oops.
 PANIC_ON_OOPS y
 PANIC_TIMEOUT -1
 # Keep root from altering kernel memory via loadable modules.
 # MODULES is not set
 GCC_PLUGINS y # Enable gcc plugin options
 # Disable various dangerous settings
 ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
 PROC_KCORE n # Exposes kernel text image layout
 INET_DIAG n # Has been used for heap based attacks in the past
 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
 CC_STACKPROTECTOR_REGULAR n
 CC_STACKPROTECTOR_STRONG y
 ''
--- a/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
+++ b/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
@ -9,7 +9,7 @@ in
 import ./generic.nix (args // {
  version = "${version}-${revision}";
  extraMeta.branch = "4.12";
-  modDirVersion = "${version}";
+  modDirVersion = "${version}-hardened";
  src = fetchFromGitHub {
    inherit sha256;
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@ -156,4 +156,9 @@ rec {
        sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2";
      };
    };
  tag_hardened = rec {
    name = "tag-hardened";
    patch = ./tag-hardened.patch;
  };
 }
--- a/pkgs/os-specific/linux/kernel/tag-hardened.patch
+++ b/pkgs/os-specific/linux/kernel/tag-hardened.patch
@ -0,0 +1,7 @@
 diff --git a/localversion-hardened b/localversion-hardened
 new file mode 100644
 index 0000000000..e578045860
 --- /dev/null
 +++ b/localversion-hardened
@@ -0,0 +1 @@
 +-hardened
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -1338,7 +1338,7 @@ with pkgs;
  clementine = callPackage ../applications/audio/clementine {
    boost = boost155;
-    gst_plugins = 
+    gst_plugins =
      with gst_all_1; [ gst-plugins-base gst-plugins-good gst-plugins-ugly ];
  };
@ -12040,10 +12040,11 @@ with pkgs;
      kernelPatches.p9_fixes
      kernelPatches.modinst_arg_list_too_long
      kernelPatches.cpu-cgroup-v2."4.11"
      kernelPatches.tag_hardened
    ];
    extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
      inherit stdenv;
-      inherit (linux) version;
+      inherit (linux_hardened_copperhead) version;
    };
  };