From de9d9a07ae4a4d52379225e6707c7d71e343e85a Mon Sep 17 00:00:00 2001 From: Tim Steinbach Date: Sun, 27 Jan 2019 21:50:48 -0500 Subject: [PATCH] linux: Convert hardened config to structured config --- .../linux/kernel/hardened-config.nix | 188 +++++------------- pkgs/top-level/all-packages.nix | 2 +- 2 files changed, 54 insertions(+), 136 deletions(-) diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index ed540a9e7518d..c1997f91664be 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -7,142 +7,60 @@ # flexibility. # # See also - { stdenv, version }: with stdenv.lib; -assert (versionAtLeast version "4.9"); - -'' -# Report BUG() conditions and kill the offending process. -BUG y - -${optionalString (versionAtLeast version "4.10") '' - BUG_ON_DATA_CORRUPTION y -''} - -${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") '' - DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory - - # Reduce attack surface by disabling various emulations - IA32_EMULATION n - X86_X32 n - # Note: this config depends on EXPERT y and so will not take effect, hence - # it is left "optional" for now. - MODIFY_LDT_SYSCALL? n - - VMAP_STACK y # Catch kernel stack overflows - - # Randomize position of kernel and memory. - RANDOMIZE_BASE y - RANDOMIZE_MEMORY y - - # Disable legacy virtual syscalls by default (modern glibc use vDSO instead). - # - # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism, - # which is supposed to be safer than the native variant (wrt. ret2libc), so - # disabling it mainly helps reduce surface. - LEGACY_VSYSCALL_NONE y -''} - -# Safer page access permissions (wrt. code injection). Default on >=4.11. -${optionalString (versionOlder version "4.11") '' - DEBUG_RODATA y - DEBUG_SET_MODULE_RONX y -''} - -# Mark LSM hooks read-only after init. SECURITY_WRITABLE_HOOKS n -# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter -# implicitly marks LSM hooks read-only after init. -# -# SELinux can only be disabled at boot via selinux=0 -# -# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the -# config builder fails to detect that it has indeed been unset. -${optionalString (versionAtLeast version "4.12") '' - SECURITY_SELINUX_DISABLE n - SECURITY_WRITABLE_HOOKS? n -''} - -DEBUG_WX y # boot-time warning on RWX mappings -${optionalString (versionAtLeast version "4.11") '' - STRICT_KERNEL_RWX y -''} - -# Stricter /dev/mem -STRICT_DEVMEM? y -IO_STRICT_DEVMEM? y - -# Perform additional validation of commonly targeted structures. -DEBUG_CREDENTIALS y -DEBUG_NOTIFIERS y -DEBUG_LIST y -DEBUG_PI_LIST y # doesn't BUG() -DEBUG_SG y -SCHED_STACK_END_CHECK y - -${optionalString (versionAtLeast version "4.13") '' - REFCOUNT_FULL y -''} - -# Perform usercopy bounds checking. -HARDENED_USERCOPY y -${optionalString (versionAtLeast version "4.16") '' - HARDENED_USERCOPY_FALLBACK n # for full whitelist enforcement -''} - -# Randomize allocator freelists. -SLAB_FREELIST_RANDOM y - -${optionalString (versionAtLeast version "4.14") '' - SLAB_FREELIST_HARDENED y -''} - -# Allow enabling slub/slab free poisoning with slub_debug=P -SLUB_DEBUG y - -# Wipe higher-level memory allocations on free() with page_poison=1 -PAGE_POISONING y -PAGE_POISONING_NO_SANITY y -PAGE_POISONING_ZERO y - -# Reboot devices immediately if kernel experiences an Oops. -PANIC_ON_OOPS y -PANIC_TIMEOUT -1 - -GCC_PLUGINS y # Enable gcc plugin options -# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. -GCC_PLUGIN_LATENT_ENTROPY y - -${optionalString (versionAtLeast version "4.11") '' - GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin -''} -${optionalString (versionAtLeast version "4.14") '' - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address -''} -${optionalString (versionAtLeast version "4.20") '' - GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin -''} - -${optionalString (versionAtLeast version "4.13") '' - GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin - GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y -''} - -# Disable various dangerous settings -ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory -PROC_KCORE n # Exposes kernel text image layout -INET_DIAG n # Has been used for heap based attacks in the past - -# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. -${optionalString (versionOlder version "4.18") '' - CC_STACKPROTECTOR_REGULAR n - CC_STACKPROTECTOR_STRONG y -''} - -# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE -${optionalString (versionAtLeast version "4.13") '' - FORTIFY_SOURCE y -''} -'' +with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; }; + +{ + ACPI_CUSTOM_METHOD = no; + BUG = yes; + BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes; + CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no; + CC_STACKPROTECTOR_STONG = whenOlder "4.18" yes; + DEBUG_CREDENTIALS = yes; + DEBUG_LIST = yes; + DEBUG_NOTIFIERS = yes; + DEBUG_PI_LIST = yes; + DEBUG_RODATA = whenOlder "4.11" yes; + DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes; + DEBUG_SG = yes; + DEBUG_WX = yes; + FORTIFY_SOURCE = whenAtLeast "4.13" yes; + GCC_PLUGINS = yes; + GCC_PLUGIN_LATENT_ENTROPY = yes; + GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; + GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes; + GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; + GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; + HARDENED_USERCOPY = yes; + HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" yes; + INET_DIAG = no; + IO_STRICT_DEVMEM = option yes; + PAGE_POISONING = yes; + PAGE_POISONING_NO_SANITY = yes; + PAGE_POISONING_ZERO = yes; + PANIC_ON_OOPS = yes; + PANIC_TIMEOUT = "-1"; + PROC_KCORE = no; + REFCOUNT_FULL = whenAtLeast "4.13" yes; + SCHED_STACK_END_CHECK = yes; + SECURITY_SELINUX_DISABLE = no; + SECURITY_WRITABLE_HOOKS = option no; + SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes; + SLAB_FREELIST_RANDOM = yes; + SLUB_DEBUG = yes; + STRICT_DEVMEM = option yes; + STRICT_KERNEL_RWX = whenAtLeast "4.11" yes; +} // optionalAttrs (stdenv.hostPlatform.system == "x86_64-linux" || stdenv.hostPlatform.system == "aarch64-linux") { + DEFAULT_MMAP_MIN_ADDR = "65536"; # Prevent allocation of first 64k of memory + IA32_EMULATION = no; + LEGACY_VSYSCALL_NONE = yes; + MODIFY_LDT_SYSCALL = option no; + RANDOMIZE_BASE = yes; + RANDOMIZE_MEMORY = yes; + X86_X32 = no; + VMAP_STACK = yes; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 4b4f916d00993..11bfda8b5bb29 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -14756,7 +14756,7 @@ in # Hardened linux hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override { features.ia32Emulation = false; - extraConfig = import ../os-specific/linux/kernel/hardened-config.nix { + structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix { inherit stdenv; inherit (kernel) version; };