-
-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
linux_*_hardened: use linux-hardened patch set #84522
Conversation
cf6273b
to
24e0f45
Compare
@GrahamcOfBorg test hardened latestKernel.hardened |
Tests pass on diff --git a/pkgs/development/libraries/graphene-hardened-malloc/default.nix b/pkgs/development/libraries/graphene-hardened-malloc/default.nix
index be32a74ea45..5a788a0b7f0 100644
--- a/pkgs/development/libraries/graphene-hardened-malloc/default.nix
+++ b/pkgs/development/libraries/graphene-hardened-malloc/default.nix
@@ -52,6 +52,6 @@ stdenv.mkDerivation rec {
'';
license = licenses.mit;
maintainers = with maintainers; [ ris ];
- platforms = [ "x86_64-linux" ];
+ platforms = [ "x86_64-linux" "aarch64-linux" ];
};
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Looks solid. I also want to get the opinion of @joachifm
In future it would be great to also integrate this kernel into nixpkgs/pkgs/os-specific/linux/kernel/update.sh
Otherwise we the hardened kernel might get out-of-date.
@a13xp0p0v I might send you an updated kernel config to https://github.com/a13xp0p0v/kconfig-hardened-check as soon as this is merged. |
If
|
24e0f45
to
11f3bff
Compare
Pushed to fix conflicts, unbreak the test on AArch64, and update for newer kernels. I'd definitely like to integrate automatic updates into this (and my other packages); is there an existing update script that interfaces with the GitHub releases API that I could reference? FWIW, I have plans to improve the Kconfig hardening further insofar as that can be done without jeopardizing general server/desktop use, but wanted to keep this PR relatively standalone. @GrahamcOfBorg test hardened latestKernel.hardened |
dbb8f31
to
8bd37be
Compare
Now with fancy over-engineered Python update script~ |
caf765f
to
daffeaf
Compare
@GrahamcOfBorg test hardened latestKernel.hardened |
FWIW, since keyservers are a trash fire and the PGP key links on the Arch site are consequently broken: You can reproduce
|
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see anthraxx/linux-hardened@104f440. This allows the Nix sandbox to function while reducing the attack surface posed by user namespaces, which allow unprivileged code to exercise lots of root-only code paths and have lead to privilege escalation vulnerabilities in the past. We can safely leave user namespaces on for privileged users, as root already has root privileges, but if you're not running builds on your machine and really want to minimize the kernel attack surface then you can set security.allowUserNamespaces to false. Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or setuid, and Firefox's silently reduces the security level if it isn't allowed (see about:support), so desktop users may want to set: boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
Seems like a good idea to ensure that you can always use the latest stable upstream kernel.
These now depend on an external patch set; add them to the release tests to ensure that the build doesn't break silently as new kernel updates are merged.
bcabc22
to
2e31fb4
Compare
@GrahamcOfBorg test hardened latestKernel.hardened |
I would like to merge this tomorrow at 6 pm UTC unless anyone has objections. |
Well this fails our Hydra with:
|
Seems like the test was broken to begin with as it was already there before this PR. |
Oof. Doesn't seem directly related to the patched kernel, at least, but this PR did add it to the release channel tests. Edit: It seems like the test passes fine on nixpkgs master, and the error is about it not being present on your local Hydra. I don't use Hydra so unfortunately I'm not sure what the problem might be; maybe jobs for the tests have to be manually set up? |
Wha… surely seems to work. Sorry for bothering you |
Nvm, upstream Hydra is affected as well: https://hydra.nixos.org/jobset/nixos/unstable-small#tabs-errors |
With this kernel, nginx started with this warning:
|
It is possible to activate CONFIG_AIO? |
You'll have to manually patch it (i.e. with a |
It is possible to disable |
This seems to be breaking ofborg now, these patches need to be updated along with the kernel bumps example failure: https://gist.github.com/GrahamcOfBorg/dc0c1bbb7502ad569c8bc49213949f73 |
I don't know about Firefox, but I find that, using the SUID sandbox, Chromium's internal sandbox status page reports all sandboxing features as operational, which is one more than it reports as operational when using the unprivileged-user-namespace sandbox. (The feature whose status differs is "Ptrace Protection with Yama LSM (Non-broker)".) (Edit: Also, thanks! I hadn't realized we were running that |
Motivation for this change
anthraxx/linux-hardened is an updated version of the dormant AndroidHardeningArchive/linux-hardened repository, which was previously offered in NixOS (as
linux_copperhead_*
; not sure if it was ever used forlinux_hardened
).It adds a relatively conservative grab-bag of hardening patches and defaults on top of the stock Kernel Self Protection Project, and is actively used by the Arch
linux-hardened
package (as documented on the ArchWiki; see also some ASLR comparison notes from the original author @thestinger, circa 2017). The patch set incorporates many of our hardened Kconfig/sysctl defaults, and releases are timely (Linux 5.5.15 and 5.6.2 were released on 2020-04-02; linux-hardened patches for them came out on 2020-04-03 and 2020-04-04 respectively). It also includes the Debian/Arch patch to allow restrictingCLONE_USERNS
to privileged users, allowing the Nix sandbox to be re-enabled (see #73763 for discussion).You can see a list of commits on top of the vanilla 5.6.2 kernel here: anthraxx/linux-hardened@9fbe5c8...5.6.2.a
linux{,Packages}_testing_hardened
is removed as the patch set only tracks releases; if anyone actually uses it then it could probably be re-added on a best-effort basis with the 5.6 patches.I'm running this on my laptop and server, including ZFS (with #84303), Firefox and Wine. (I had to disable the hardened allocator for Firefox, per #73763 (comment), but that's unrelated to these kernel changes.)
paxtest blackhat
results for5.6.2-hardened
from this branch:Using the
libc
allocator (measuring the kernel ASLR entropy directly)Improvements over current NixOS:
Using the hardened profile default
scudo
allocatorImprovements over current NixOS:
These mostly match the expected results from ArchWiki. The mprotect "Vulnerable" results are because there's no port of the PaX MPROTECT/NOEXECSTACK features, as these can be implemented with a Mandatory Access Control LSM like SELinux. I'm not sure why ET_EXEC is doing worse; the main executable randomization shouldn't be too relevant as position-independent executables generally use the ET_DYN/PIE mechanism and Arch bug FS#52089 suggests that grsecurity dropped support for this anyway, but the heap randomization results could be a little better according to ArchWiki; it might be that results there were measured with GrapheneOS hardened_malloc, which is recommended elsewhere on the page. In any case, it's a distinct improvement on the status quo.
Note the commit message of b309ef56e8d8; disabling unprivileged
CLONE_NEWUSER
has security drawbacks for desktop machines due to the impact on the Chromium/Firefox sandboxes. They both have minimal setuid helpers as fallbacks for unprivileged user namespaces, and it'd be nice to arrange for them to get the necessary privileges whenCLONE_NEWUSER
is restricted, but I haven't addressed that in this PR as the status quo for the hardened profile has already been that user namespaces are silently disabled as a whole.Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)