linux: Expand hardened config
Based on latest recommendations at http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
This commit is contained in:
parent
e66c85d196
commit
ff10bafd00
@ -13,42 +13,8 @@ with stdenv.lib;
|
||||
assert (versionAtLeast version "4.9");
|
||||
|
||||
''
|
||||
GCC_PLUGINS y # Enable gcc plugin options
|
||||
|
||||
${optionalString (versionAtLeast version "4.11") ''
|
||||
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
|
||||
''}
|
||||
|
||||
DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
|
||||
|
||||
${optionalString (versionAtLeast version "4.10") ''
|
||||
BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption
|
||||
''}
|
||||
|
||||
# Additional validation of commonly targetted structures
|
||||
DEBUG_CREDENTIALS y
|
||||
DEBUG_NOTIFIERS y
|
||||
DEBUG_LIST y
|
||||
DEBUG_SG y
|
||||
|
||||
HARDENED_USERCOPY y # Bounds check usercopy
|
||||
|
||||
# Wipe on free with page_poison=1
|
||||
PAGE_POISONING y
|
||||
PAGE_POISONING_NO_SANITY y
|
||||
PAGE_POISONING_ZERO y
|
||||
|
||||
CC_STACKPROTECTOR_REGULAR n
|
||||
CC_STACKPROTECTOR_STRONG y
|
||||
|
||||
# Stricter /dev/mem
|
||||
STRICT_DEVMEM y
|
||||
IO_STRICT_DEVMEM y
|
||||
|
||||
# Disable various dangerous settings
|
||||
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
|
||||
PROC_KCORE n # Exposes kernel text image layout
|
||||
INET_DIAG n # Has been used for heap based attacks in the past
|
||||
# Report BUG() conditions and kill the offending process.
|
||||
BUG y
|
||||
|
||||
${optionalString (stdenv.system == "x86_64-linux") ''
|
||||
DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
|
||||
@ -56,8 +22,81 @@ ${optionalString (stdenv.system == "x86_64-linux") ''
|
||||
# Reduce attack surface by disabling various emulations
|
||||
IA32_EMULATION n
|
||||
X86_X32 n
|
||||
MODIFY_LDT_SYSCALL n
|
||||
|
||||
VMAP_STACK y # Catch kernel stack overflows
|
||||
|
||||
# Randomize position of kernel and memory.
|
||||
RANDOMIZE_BASE y
|
||||
RANDOMIZE_MEMORY y
|
||||
|
||||
# Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
|
||||
LEGACY_VSYSCALL_NONE y
|
||||
''}
|
||||
|
||||
# Make sure kernel page tables have safe permissions.
|
||||
DEBUG_KERNEL y
|
||||
|
||||
${optionalString (versionOlder version "4.11") ''
|
||||
DEBUG_RODATA y
|
||||
DEBUG_SET_MODULE_RONX y
|
||||
''}
|
||||
|
||||
${optionalString (versionAtLeast version "4.11") ''
|
||||
GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
|
||||
''}
|
||||
|
||||
# Report any dangerous memory permissions (not available on all archs).
|
||||
DEBUG_WX y
|
||||
|
||||
# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
|
||||
# DEVMEM is not set
|
||||
STRICT_DEVMEM y
|
||||
IO_STRICT_DEVMEM y
|
||||
|
||||
# Perform additional validation of various commonly targeted structures.
|
||||
DEBUG_CREDENTIALS y
|
||||
DEBUG_NOTIFIERS y
|
||||
DEBUG_LIST y
|
||||
DEBUG_SG y
|
||||
BUG_ON_DATA_CORRUPTION y
|
||||
SCHED_STACK_END_CHECK y
|
||||
|
||||
# Provide userspace with seccomp BPF API for syscall attack surface reduction.
|
||||
SECCOMP y
|
||||
SECCOMP_FILTER y
|
||||
|
||||
# Provide userspace with ptrace ancestry protections.
|
||||
SECURITY y
|
||||
SECURITY_YAMA y
|
||||
|
||||
# Perform usercopy bounds checking.
|
||||
HARDENED_USERCOPY y
|
||||
|
||||
# Randomize allocator freelists.
|
||||
SLAB_FREELIST_RANDOM y
|
||||
|
||||
# Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below).
|
||||
# (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n)
|
||||
PAGE_POISONING y
|
||||
PAGE_POISONING_NO_SANITY y
|
||||
PAGE_POISONING_ZERO y
|
||||
|
||||
# Reboot devices immediately if kernel experiences an Oops.
|
||||
PANIC_ON_OOPS y
|
||||
PANIC_TIMEOUT -1
|
||||
|
||||
# Keep root from altering kernel memory via loadable modules.
|
||||
# MODULES is not set
|
||||
|
||||
GCC_PLUGINS y # Enable gcc plugin options
|
||||
|
||||
# Disable various dangerous settings
|
||||
ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
|
||||
PROC_KCORE n # Exposes kernel text image layout
|
||||
INET_DIAG n # Has been used for heap based attacks in the past
|
||||
|
||||
# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
|
||||
CC_STACKPROTECTOR_REGULAR n
|
||||
CC_STACKPROTECTOR_STRONG y
|
||||
''
|
||||
|
@ -9,7 +9,7 @@ in
|
||||
import ./generic.nix (args // {
|
||||
version = "${version}-${revision}";
|
||||
extraMeta.branch = "4.12";
|
||||
modDirVersion = "${version}";
|
||||
modDirVersion = "${version}-hardened";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
inherit sha256;
|
||||
|
@ -156,4 +156,9 @@ rec {
|
||||
sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2";
|
||||
};
|
||||
};
|
||||
|
||||
tag_hardened = rec {
|
||||
name = "tag-hardened";
|
||||
patch = ./tag-hardened.patch;
|
||||
};
|
||||
}
|
||||
|
7
pkgs/os-specific/linux/kernel/tag-hardened.patch
Normal file
7
pkgs/os-specific/linux/kernel/tag-hardened.patch
Normal file
@ -0,0 +1,7 @@
|
||||
diff --git a/localversion-hardened b/localversion-hardened
|
||||
new file mode 100644
|
||||
index 0000000000..e578045860
|
||||
--- /dev/null
|
||||
+++ b/localversion-hardened
|
||||
@@ -0,0 +1 @@
|
||||
+-hardened
|
@ -12040,10 +12040,11 @@ with pkgs;
|
||||
kernelPatches.p9_fixes
|
||||
kernelPatches.modinst_arg_list_too_long
|
||||
kernelPatches.cpu-cgroup-v2."4.11"
|
||||
kernelPatches.tag_hardened
|
||||
];
|
||||
extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
|
||||
inherit stdenv;
|
||||
inherit (linux) version;
|
||||
inherit (linux_hardened_copperhead) version;
|
||||
};
|
||||
};
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user