Commit Graph

37 Commits

Author SHA1 Message Date
Joachim Fasting
87bc514620
hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
2019-05-07 13:39:24 +02:00
Matthieu Coudron
7aacbdb898 linux: convert hardened-config to a structured one 2019-01-28 09:07:24 +09:00
Pierre Bourdon
b26c824da3
Revert "Revert "Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"""
The issue with out-of-tree modules has been addressed and the feature
should now be good to re-enable again.

This reverts commit 865f7a14b4.
2019-01-11 12:35:16 +01:00
Joachim Fasting
865f7a14b4
Revert "Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT""
This reverts commit c68e8b05f0.

RANDSTRUCT currently fails to work with out-of-tree modules, as
evinced by
c68e8b05f0 (commitcomment-31850284)
and https://github.com/NixOS/nixpkgs/issues/53522.

Specifically, loading out-of-tree modules results in modsym version
mismatches, as in
   spl: version magic '4.20.0 SMP mod_unload modversions RANDSTRUCT_PLUGIN
from the issue above.

A working hypothesis is that the randstruct seed is not carried over when
building out-of-tree modules but more investigation is needed here.

Closes https://github.com/NixOS/nixpkgs/issues/53522
2019-01-07 19:50:12 +01:00
Joachim Fasting
d62086e6fc
hardened-config: allow slub/slab free poisoning 2019-01-05 14:07:36 +01:00
Joachim Fasting
11840f5c70
hardened-config: explain HARDENED_USERCOPY_FALLBACK n 2019-01-05 14:07:36 +01:00
Joachim Fasting
dfd77a046d
hardened-config: ensure STRICT_KERNEL_RWX
This is y in the default config, but enable it explicitly here to catch
situations where it has been disabled (explicitly or implicitly).
2019-01-05 14:07:35 +01:00
Joachim Fasting
1801aad7b8
hardened-config: clarify MODIFY_LDT_SYSCALL
This likely never worked; MODIFY_LDT_SYSCALL depends on EXPERT; enabling
EXPERT however seems to introduce quite a few changes that would need to be
properly vetted.

The version guard is unnecessary, however, as this config has been supported
since 4.3.
2019-01-05 14:07:34 +01:00
Joachim Fasting
abc8ed3fca
hardened-config: clarify readonly LSM hooks config
SECURITY_WRITABLE_HOOKS is implicitly controlled by SECURITY_SELINUX_DISABLE;
explicitly unsetting results in an error because the configfile builder fails
to detect that it has in fact been unset (reporting it as an unused option).
For now, leave WRITABLE_HOOKS as an "optional" config for documentation
purposes.
2019-01-05 14:07:33 +01:00
Joachim Fasting
c68e8b05f0
Revert "linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT"
This reverts commit 5dda1324be.

Presumably this was done to work around build errors or something but it
works fine now.
2019-01-05 14:07:21 +01:00
Pierre Bourdon
0f7ca26a48
kernel/hardened-config.nix: add STACKLEAK plugin on 4.20+ 2019-01-04 22:24:50 +01:00
Pierre Bourdon
9dc0d94896
kernel/hardened-config.nix: re-enable GCC plugins 2019-01-04 22:24:50 +01:00
John Ericson
7d85ade0cc treewide: Purge stdenv.platform and top-level platform
Progress towards #27069
2018-08-20 15:22:46 -04:00
Tim Steinbach
9236990057
linux: Init 4.18 2018-08-12 19:42:31 -04:00
Tim Steinbach
a4d56d0635
linux-hardened: Adjust config for 4.17.4 2018-07-03 08:35:37 -04:00
Tim Steinbach
4f3ba3b1f8
linux-hardened: Adjust for Linux 4.17 2018-06-29 08:37:25 -04:00
Joachim Fasting
33615ccfa5
linux_hardened: enforce usercopy whitelisting
The default is to warn only
2018-04-29 12:17:24 +02:00
Tim Steinbach
eb0ecd7eba
linux-copperhead: 4.14.12.a -> 4.14.13.a 2018-01-11 08:30:19 -05:00
Franz Pletz
ccb0ba56ef
linux_hardended: enable gcc latent entropy plugin 2018-01-04 05:02:39 +01:00
Joachim Fasting
870c86d0ee
linux_hardened: structleak covers structs passed by address 2017-11-15 22:10:50 +01:00
Joachim Fasting
8ecae36963
linux_hardened: enable slab freelist hardening 2017-11-15 22:10:44 +01:00
Tim Steinbach
5dda1324be
linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT 2017-10-11 13:50:20 -04:00
Jan Malakhovski
62fa45eac5
linuxPackages: hardened-config: enable DEBUG_PI_LIST 2017-09-16 13:14:05 +02:00
Jan Malakhovski
c345761c13
linuxPackages: hardened-config: check kernelArch, not system 2017-09-16 13:14:04 +02:00
Jan Malakhovski
616a7fe237
linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION for older kernels
They don't support it.
2017-09-16 13:14:03 +02:00
Joachim Fasting
dd170cd5df
hardened-config: build with fortify source 2017-09-16 00:31:25 +02:00
Joachim Fasting
9a763f8f59
hardened-config: enable the randstruct plugin 2017-09-16 00:31:23 +02:00
Joachim Fasting
edd0d2f2e9
hardened-config: additional refcount checking 2017-09-16 00:31:17 +02:00
Joachim Fasting
345e0e6794
hardened-config: enable read-only LSM hooks
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
2017-08-11 23:27:58 +02:00
Joachim Fasting
f963014829
linux-hardened-config: various fixups
Note
- the kernel config parser ignores "# foo is unset" comments so they
  have no effect; disabling kernel modules would break *everything* and so
  is ill-suited for a general-purpose kernel anyway --- the hardened nixos
  profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
  YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
  the build; fix by making it optional
- restored some original comments which I feel are clearer
2017-08-06 23:38:07 +02:00
Tim Steinbach
ff10bafd00
linux: Expand hardened config
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
2017-08-06 09:58:02 -04:00
Joachim Fasting
77ed860114
linux_hardened: enable checks on scatter-gather tables
Recommended by kspp
2017-05-18 12:33:42 +02:00
Joachim Fasting
996b65cfba
linux_hardened: enable structleak plugin
A port of the PaX structleak plugin.  Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
2017-05-09 01:38:26 +02:00
Joachim Fasting
1816e2b960
linux_hardened: BUG on struct validation failure 2017-05-09 01:38:24 +02:00
Joachim Fasting
a7ecdffc28
linux_hardened: move to 4.11
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
2017-05-09 01:38:22 +02:00
Joachim Fasting
42c58cd2e8
linux_hardened: compile with stackprotector-strong
Default is regular, which we need to unset for kconfig to accept the new
value.
2017-05-09 01:38:21 +02:00
Joachim Fasting
62f2a1c2be
linux_hardened: init
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
2017-04-30 12:05:39 +02:00