JakeHillion/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
87bfe6e115
nixpkgs/pkgs/os-specific/linux/kernel
History
Joachim Fasting 87bc514620
hardened-config: enable the SafeSetID LSM 
The purpose of this LSM is to allow processes to drop to a less privileged
user id without having to grant them full CAP_SETUID (or use file caps).

The LSM allows configuring a whitelist policy of permitted from:to uid
transitions.  The policy is enforced upon calls to setuid(2) and related
syscalls.

Policies are configured through securityfs by writing to
- safesetid/add_whitelist_policy ; and
- safesetid/flush_whitelist_policies

A process attempting a transition not permitted by current policy is killed
(to avoid accidentally running with higher privileges than intended).

A uid that has a configured policy is prevented from obtaining auxiliary
setuid privileges (e.g., setting up user namespaces).

See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
2019-05-07 13:39:24 +02:00
..
cpu-cgroup-v2-patches Revert parts of "linux: remove unused kernel patches" 2017-10-30 17:57:00 +01:00
bridge-stp-helper.patch
common-config.nix Merge pull request #57885 from acowley/hsa_amd 2019-04-02 16:51:30 -04:00
export_kernel_fpu_functions.patch linux_5_0: restore __kernel_fpu_{begin,restore} 2019-05-06 14:14:40 +01:00
generate-config.pl kernel: buildLinux replaces import ./generic.nix 2018-02-07 10:07:13 +09:00
generic.nix Merge pull request #53826 from delroth/randstruct-custom-seed 2019-04-16 17:49:19 +00:00
genksyms-fix-segfault.patch
hardened-config.nix hardened-config: enable the SafeSetID LSM 2019-05-07 13:39:24 +02:00
linux-4.4.nix linux: 4.4.178 -> 4.4.179 2019-04-27 08:06:43 -04:00
linux-4.9.nix linux: 4.9.172 -> 4.9.173 2019-05-04 10:26:40 -04:00
linux-4.14.nix linux: 4.14.115 -> 4.14.116 2019-05-04 10:25:01 -04:00
linux-4.19.nix linux: 4.19.39 -> 4.19.40 2019-05-05 11:16:17 -04:00
linux-5.0.nix linux: 5.0.12 -> 5.0.13 2019-05-05 11:16:44 -04:00
linux-5.1.nix linux: add 5.1 release 2019-05-06 00:39:22 -05:00
linux-hardkernel-4.14.nix linux_hardkernel_4_14: 4.14.94-155 -> 4.14.102-156 (#57082) 2019-03-16 00:01:39 +01:00
linux-libre.nix linux_latest-libre: fix build 2019-03-11 21:35:48 +00:00
linux-mptcp-93.nix treewide: Remove usage of remaining redundant platform compatability stuff 2018-08-30 17:20:32 -04:00
linux-mptcp.nix linux_mptcp: 0.94.3 -> 0.94.4 (#59045) 2019-04-09 09:34:03 +00:00
linux-rpi.nix linux_rpi: 1.20180919 -> 1.20190215 2019-03-20 22:51:08 -04:00
linux-testing-bcachefs.nix linux_testing_bcachefs: 4.20.2019.03.13 -> 5.0.2019.04.04 2019-04-26 09:16:45 -04:00
linux-testing.nix linux: 5.1-rc6 -> 5.1-rc7 2019-04-29 08:06:52 -04:00
manual-config.nix kernel: extend the RANDSTRUCT seed with a user-configurable section 2019-01-24 01:42:16 +01:00
modinst-arg-list-too-long.patch linux-testing: Fix arg list too long in modinst 2016-08-30 06:55:52 +02:00
p9-fixes.patch kernel: fix 9p issues 2017-04-01 15:49:14 +03:00
patches.nix linux_5_0: restore __kernel_fpu_{begin,restore} 2019-05-06 14:14:40 +01:00
perf.nix linuxPackages.perf: add libopcodes as a buildInput 2019-05-03 15:10:46 -05:00
randstruct-provide-seed.patch kernel: make the RANDSTRUCT seed deterministic 2019-01-11 12:35:16 +01:00
tag-hardened.patch linux: Expand hardened config 2017-08-06 09:58:02 -04:00
update.sh linux: Fix update script 2019-04-07 08:34:12 -04:00