linux: Expand hardened config

Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
This commit is contained in:
Tim Steinbach 2017-08-05 15:38:17 -04:00
parent e66c85d196
commit ff10bafd00
No known key found for this signature in database
GPG Key ID: 472BFCCA96BD0EDA
5 changed files with 91 additions and 39 deletions

View File

@ -13,42 +13,8 @@ with stdenv.lib;
assert (versionAtLeast version "4.9");
''
GCC_PLUGINS y # Enable gcc plugin options
${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
${optionalString (versionAtLeast version "4.10") ''
BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption
''}
# Additional validation of commonly targetted structures
DEBUG_CREDENTIALS y
DEBUG_NOTIFIERS y
DEBUG_LIST y
DEBUG_SG y
HARDENED_USERCOPY y # Bounds check usercopy
# Wipe on free with page_poison=1
PAGE_POISONING y
PAGE_POISONING_NO_SANITY y
PAGE_POISONING_ZERO y
CC_STACKPROTECTOR_REGULAR n
CC_STACKPROTECTOR_STRONG y
# Stricter /dev/mem
STRICT_DEVMEM y
IO_STRICT_DEVMEM y
# Disable various dangerous settings
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
PROC_KCORE n # Exposes kernel text image layout
INET_DIAG n # Has been used for heap based attacks in the past
# Report BUG() conditions and kill the offending process.
BUG y
${optionalString (stdenv.system == "x86_64-linux") ''
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
@ -56,8 +22,81 @@ ${optionalString (stdenv.system == "x86_64-linux") ''
# Reduce attack surface by disabling various emulations
IA32_EMULATION n
X86_X32 n
MODIFY_LDT_SYSCALL n
VMAP_STACK y # Catch kernel stack overflows
# Randomize position of kernel and memory.
RANDOMIZE_BASE y
RANDOMIZE_MEMORY y
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
LEGACY_VSYSCALL_NONE y
''}
# Make sure kernel page tables have safe permissions.
DEBUG_KERNEL y
${optionalString (versionOlder version "4.11") ''
DEBUG_RODATA y
DEBUG_SET_MODULE_RONX y
''}
${optionalString (versionAtLeast version "4.11") ''
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
''}
# Report any dangerous memory permissions (not available on all archs).
DEBUG_WX y
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
# DEVMEM is not set
STRICT_DEVMEM y
IO_STRICT_DEVMEM y
# Perform additional validation of various commonly targeted structures.
DEBUG_CREDENTIALS y
DEBUG_NOTIFIERS y
DEBUG_LIST y
DEBUG_SG y
BUG_ON_DATA_CORRUPTION y
SCHED_STACK_END_CHECK y
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
SECCOMP y
SECCOMP_FILTER y
# Provide userspace with ptrace ancestry protections.
SECURITY y
SECURITY_YAMA y
# Perform usercopy bounds checking.
HARDENED_USERCOPY y
# Randomize allocator freelists.
SLAB_FREELIST_RANDOM y
# Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below).
# (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n)
PAGE_POISONING y
PAGE_POISONING_NO_SANITY y
PAGE_POISONING_ZERO y
# Reboot devices immediately if kernel experiences an Oops.
PANIC_ON_OOPS y
PANIC_TIMEOUT -1
# Keep root from altering kernel memory via loadable modules.
# MODULES is not set
GCC_PLUGINS y # Enable gcc plugin options
# Disable various dangerous settings
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
PROC_KCORE n # Exposes kernel text image layout
INET_DIAG n # Has been used for heap based attacks in the past
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
CC_STACKPROTECTOR_REGULAR n
CC_STACKPROTECTOR_STRONG y
''

View File

@ -9,7 +9,7 @@ in
import ./generic.nix (args // {
version = "${version}-${revision}";
extraMeta.branch = "4.12";
modDirVersion = "${version}";
modDirVersion = "${version}-hardened";
src = fetchFromGitHub {
inherit sha256;

View File

@ -156,4 +156,9 @@ rec {
sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2";
};
};
tag_hardened = rec {
name = "tag-hardened";
patch = ./tag-hardened.patch;
};
}

View File

@ -0,0 +1,7 @@
diff --git a/localversion-hardened b/localversion-hardened
new file mode 100644
index 0000000000..e578045860
--- /dev/null
+++ b/localversion-hardened
@@ -0,0 +1 @@
+-hardened

View File

@ -1338,7 +1338,7 @@ with pkgs;
clementine = callPackage ../applications/audio/clementine {
boost = boost155;
gst_plugins =
gst_plugins =
with gst_all_1; [ gst-plugins-base gst-plugins-good gst-plugins-ugly ];
};
@ -12040,10 +12040,11 @@ with pkgs;
kernelPatches.p9_fixes
kernelPatches.modinst_arg_list_too_long
kernelPatches.cpu-cgroup-v2."4.11"
kernelPatches.tag_hardened
];
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
inherit stdenv;
inherit (linux) version;
inherit (linux_hardened_copperhead) version;
};
};