linux_*_hardened: use linux-hardened patch set #84522
Commits on Apr 17, 2020
-
-
linux: explicitly enable SYSVIPC
The linux-hardened patch set removes this default, probably because of its original focus on Android kernel hardening.
-
linux_*_hardened: use linux-hardened patch set
This is an updated version of the former upstream, https://github.com/AndroidHardeningArchive/linux-hardened, and provides a minimal set of additional hardening patches on top of upstream. The patch already incorporates many of our hardened profile defaults, and releases are timely (Linux 5.5.15 and 5.6.2 were released on 2020-04-02; linux-hardened patches for them came out on 2020-04-03 and 2020-04-04 respectively).
-
linux_*_hardened: don't set X86_X32
As far as I can tell, this has never defaulted to on upstream, and our common kernel configuration doesn't turn it on, so the attack surface reduction here is somewhat homeopathic.
-
linux_*_hardened: don't set VMAP_STACK
This has been on by default upstream for as long as it's been an option.
-
linux_*_hardened: don't set RANDOMIZE_{BASE,MEMORY}
These are on by default for x86 in upstream linux-5.6.2, and turned on for arm64 by anthraxx/linux-hardened@90f9670.
-
linux_*_hardened: don't set {,IO_}STRICT_DEVMEM
STRICT_DEVMEM is on by default in upstream 5.6.2; IO_STRICT_DEVMEM is turned on by anthraxx/linux-hardened@103d23c. Note that anthraxx/linux-hardened@db1d27e disables DEVMEM by default, so this is only relevant if that default is overridden to turn it back on.
-
linux_*_hardened: don't set HARDENED_USERCOPY_FALLBACK
Upstreamed in anthraxx/linux-hardened@c1fe7a6, anthraxx/linux-hardened@2c553a2.
-
linux_*_hardened: don't set SLAB_FREELIST_{RANDOM,HARDENED}
Upstreamed in anthraxx/linux-hardened@786126f, anthraxx/linux-hardened@44822eb.
-
nixos/hardened: don't set kernel.unprivileged_bpf_disabled
Upstreamed in anthraxx/linux-hardened@1a3e0c2.
-
nixos/hardened: don't set vm.unprivileged_userfaultfd
Upstreamed in anthraxx/linux-hardened@a712392.
-
nixos/hardened: enable user namespaces for root
linux-hardened sets kernel.unprivileged_userns_clone=0 by default; see anthraxx/linux-hardened@104f440. This allows the Nix sandbox to function while reducing the attack surface posed by user namespaces, which allow unprivileged code to exercise lots of root-only code paths and have lead to privilege escalation vulnerabilities in the past. We can safely leave user namespaces on for privileged users, as root already has root privileges, but if you're not running builds on your machine and really want to minimize the kernel attack surface then you can set security.allowUserNamespaces to false. Note that Chrome's sandbox requires either unprivileged CLONE_NEWUSER or setuid, and Firefox's silently reduces the security level if it isn't allowed (see about:support), so desktop users may want to set: boot.kernel.sysctl."kernel.unprivileged_userns_clone" = true;
-
-
-
nixos/release-{small,combined}: add latestKernel.login
Seems like a good idea to ensure that you can always use the latest stable upstream kernel.
-
nixos/release-combined: add {,latestKernel.}hardened
These now depend on an external patch set; add them to the release tests to ensure that the build doesn't break silently as new kernel updates are merged.
