nixpkgs/pkgs/os-specific/linux/kernel/hardened/config.nix

# Based on recommendations from:
# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings
# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project
#
# Dangerous features that can be permanently (for the boot session) disabled at
# boot via sysctl or kernel cmdline are left enabled here, for improved
# flexibility.
#
# See also <nixos/modules/profiles/hardened.nix>

{ lib, version }:

with lib;
with lib.kernel;
with (lib.kernel.whenHelpers version);

assert (versionAtLeast version "4.9");

{
  # Report BUG() conditions and kill the offending process.
  BUG = yes;

  # Safer page access permissions (wrt. code injection).  Default on >=4.11.
  DEBUG_RODATA          = whenOlder "4.11" yes;
  DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;

  # Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
  # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
  # implicitly marks LSM hooks read-only after init.
  #
  # SELinux can only be disabled at boot via selinux=0
  #
  # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
  # config builder fails to detect that it has indeed been unset.
  SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
  SECURITY_WRITABLE_HOOKS  = whenAtLeast "4.12" (option no);

  STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;

  # Perform additional validation of commonly targeted structures.
  DEBUG_CREDENTIALS     = yes;
  DEBUG_NOTIFIERS       = yes;
  DEBUG_PI_LIST         = whenOlder "5.2" yes; # doesn't BUG()
  DEBUG_PLIST           = whenAtLeast "5.2" yes;
  DEBUG_SG              = yes;
  SCHED_STACK_END_CHECK = yes;

  REFCOUNT_FULL = whenBetween "4.13" "5.5" yes;

  # Randomize page allocator when page_alloc.shuffle=1
  SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;

  # Allow enabling slub/slab free poisoning with slub_debug=P
  SLUB_DEBUG = yes;

  # Wipe higher-level memory allocations on free() with page_poison=1
  PAGE_POISONING           = yes;
  PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;
  PAGE_POISONING_ZERO      = whenOlder "5.11" yes;

  # Enable the SafeSetId LSM
  SECURITY_SAFESETID = whenAtLeast "5.1" yes;

  # Reboot devices immediately if kernel experiences an Oops.
  PANIC_TIMEOUT = freeform "-1";

  GCC_PLUGINS = yes; # Enable gcc plugin options
  # Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
  GCC_PLUGIN_LATENT_ENTROPY = yes;

  GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
  GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
  GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin
  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;

  # Disable various dangerous settings
  ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
  PROC_KCORE         = no; # Exposes kernel text image layout
  INET_DIAG          = no; # Has been used for heap based attacks in the past

  # INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,
  # make them optional
  INET_DIAG_DESTROY = option no;
  INET_RAW_DIAG     = option no;
  INET_TCP_DIAG     = option no;
  INET_UDP_DIAG     = option no;
  INET_MPTCP_DIAG   = option no;

  # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
  CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
  CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;

}
linux_hardened: init The rationale for this is to have a place to enable hardening features that are either too invasive or that may be speculative/yet proven to be worthwhile for general-purpose kernels. 2017-04-29 19:42:02 +01:00			`# Based on recommendations from:`
			`# http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#Recommended_settings`
			`# https://wiki.gentoo.org/wiki/Hardened/Hardened_Kernel_Project`
			`#`
			`# Dangerous features that can be permanently (for the boot session) disabled at`
			`# boot via sysctl or kernel cmdline are left enabled here, for improved`
			`# flexibility.`
linux-hardened-config: various fixups Note - the kernel config parser ignores "# foo is unset" comments so they have no effect; disabling kernel modules would break everything and so is ill-suited for a general-purpose kernel anyway --- the hardened nixos profile provides a more flexible solution - removed some overlap with the common config (SECCOMP is required by systemd; YAMA is enabled by default). - MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks the build; fix by making it optional - restored some original comments which I feel are clearer 2017-08-06 19:27:52 +01:00			`#`
			`# See also <nixos/modules/profiles/hardened.nix>`
linux_hardened: init The rationale for this is to have a place to enable hardening features that are either too invasive or that may be speculative/yet proven to be worthwhile for general-purpose kernels. 2017-04-29 19:42:02 +01:00
treewide: remove stdenv where not needed 2021-01-25 08:26:54 +00:00			`{ lib, version }:`
linux_hardened: init The rationale for this is to have a place to enable hardening features that are either too invasive or that may be speculative/yet proven to be worthwhile for general-purpose kernels. 2017-04-29 19:42:02 +01:00
pkgs/os-specific: stdenv.lib -> lib 2021-01-15 14:45:37 +00:00			`with lib;`
			`with lib.kernel;`
			`with (lib.kernel.whenHelpers version);`
lib.kernel: scoped whenXXX helpers whenAtLeast/whenBetween are made available in lib/kernel.nix but are now scoped under whenXXX. 2019-09-19 12:12:35 +01:00
linux_hardened: move to 4.11 Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX & STRICT_MODULE_RWX, which are on by default (non-optional). 2017-05-06 18:02:16 +01:00			`assert (versionAtLeast version "4.9");`

linux_*_hardened: don't set LEGACY_VSYSCALL_NONE Upstreamed in anthraxx/linux-hardened@d300b0fdad706daab3a36a8d23b35ebe03c3fc87. 2020-04-04 22:58:45 +01:00			`{`
linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00			`# Report BUG() conditions and kill the offending process.`
			`BUG = yes;`

			`# Safer page access permissions (wrt. code injection). Default on >=4.11.`
			`DEBUG_RODATA = whenOlder "4.11" yes;`
			`DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;`

			`# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n`
			`# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter`
			`# implicitly marks LSM hooks read-only after init.`
			`#`
			`# SELinux can only be disabled at boot via selinux=0`
			`#`
			`# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the`
			`# config builder fails to detect that it has indeed been unset.`
			`SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;`
			`SECURITY_WRITABLE_HOOKS = whenAtLeast "4.12" (option no);`

			`STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;`

			`# Perform additional validation of commonly targeted structures.`
			`DEBUG_CREDENTIALS = yes;`
			`DEBUG_NOTIFIERS = yes;`
linux: fix kernel config options for linux_*hardened Fix config options for linux_hardened and linux_latest_hardened due to #84302. This is a continuation of #88946. 2020-06-10 15:05:17 +01:00			`DEBUG_PI_LIST = whenOlder "5.2" yes; # doesn't BUG()`
			`DEBUG_PLIST = whenAtLeast "5.2" yes;`
linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00			`DEBUG_SG = yes;`
			`SCHED_STACK_END_CHECK = yes;`

linux: fix kernel config options for linux_*hardened Fix config options for linux_hardened and linux_latest_hardened due to #84302. This is a continuation of #88946. 2020-06-10 15:05:17 +01:00			`REFCOUNT_FULL = whenBetween "4.13" "5.5" yes;`
linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00
linux-hardened: enable page alloc randomization New in 5.2 2019-07-18 13:00:06 +01:00			`# Randomize page allocator when page_alloc.shuffle=1`
			`SHUFFLE_PAGE_ALLOCATOR = whenAtLeast "5.2" yes;`

linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00			`# Allow enabling slub/slab free poisoning with slub_debug=P`
			`SLUB_DEBUG = yes;`

			`# Wipe higher-level memory allocations on free() with page_poison=1`
			`PAGE_POISONING = yes;`
linux-hardened: Fix page poisoning for 5.11 `PAGE_POISONING_NO_SANITY` was removed in https://git.kernel.org/linus/8f424750baaafcef229791882e879da01c9473b5 `PAGE_POISONING_ZERO` was removed in https://git.kernel.org/linus/f289041ed4cf9a3f6e8a32068fef9ffb2acc5662 2021-03-23 13:50:52 +00:00			`PAGE_POISONING_NO_SANITY = whenOlder "5.11" yes;`
			`PAGE_POISONING_ZERO = whenOlder "5.11" yes;`
linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00
hardened-config: enable the SafeSetID LSM The purpose of this LSM is to allow processes to drop to a less privileged user id without having to grant them full CAP_SETUID (or use file caps). The LSM allows configuring a whitelist policy of permitted from:to uid transitions. The policy is enforced upon calls to setuid(2) and related syscalls. Policies are configured through securityfs by writing to - safesetid/add_whitelist_policy ; and - safesetid/flush_whitelist_policies A process attempting a transition not permitted by current policy is killed (to avoid accidentally running with higher privileges than intended). A uid that has a configured policy is prevented from obtaining auxiliary setuid privileges (e.g., setting up user namespaces). See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html 2019-05-07 10:08:36 +01:00			`# Enable the SafeSetId LSM`
			`SECURITY_SAFESETID = whenAtLeast "5.1" yes;`

linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00			`# Reboot devices immediately if kernel experiences an Oops.`
			`PANIC_TIMEOUT = freeform "-1";`

			`GCC_PLUGINS = yes; # Enable gcc plugin options`
linux: fix fallout from conflicting kernel configs The parent commit forbids conflicting kernel config options. Fix the hardened kernels by allowing options in common-config.nix to be overridden by conflicting ones in hardened/config.nix. I'm explicitly avoiding using a higher priority (e.g. using mkForce) in hardened/config.nix so that the user can easily override the options in that file. 2020-06-10 15:29:14 +01:00			`# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.`
linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00			`GCC_PLUGIN_LATENT_ENTROPY = yes;`

			`GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin`
			`GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address`
			`GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin`
			`GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin`
			`GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;`

			`# Disable various dangerous settings`
			`ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory`
			`PROC_KCORE = no; # Exposes kernel text image layout`
			`INET_DIAG = no; # Has been used for heap based attacks in the past`

linux: fix fallout from conflicting kernel configs The parent commit forbids conflicting kernel config options. Fix the hardened kernels by allowing options in common-config.nix to be overridden by conflicting ones in hardened/config.nix. I'm explicitly avoiding using a higher priority (e.g. using mkForce) in hardened/config.nix so that the user can easily override the options in that file. 2020-06-10 15:29:14 +01:00			`# INET_DIAG=n causes the following options to not exist anymore, but since they are defined in common-config.nix,`
			`# make them optional`
			`INET_DIAG_DESTROY = option no;`
			`INET_RAW_DIAG = option no;`
			`INET_TCP_DIAG = option no;`
			`INET_UDP_DIAG = option no;`
			`INET_MPTCP_DIAG = option no;`

linux: convert hardened-config to a structured one 2018-10-03 10:53:23 +01:00			`# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.`
			`CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;`
			`CC_STACKPROTECTOR_STRONG = whenOlder "4.18" yes;`

			`}`