swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-27 15:40:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
122216 commits 5 branches 0 tags 31 GiB
Commit graph

18 commits

Author SHA1 Message Date
Joachim Fasting 870c86d0ee
linux_hardened: structleak covers structs passed by address 2017-11-15 22:10:50 +01:00
Joachim Fasting 8ecae36963
linux_hardened: enable slab freelist hardening 2017-11-15 22:10:44 +01:00
Tim Steinbach 5dda1324be
linux-hardened: Disable GCC_PLUGIN_RANDSTRUCT 2017-10-11 13:50:20 -04:00
Jan Malakhovski 62fa45eac5
linuxPackages: hardened-config: enable DEBUG_PI_LIST 2017-09-16 13:14:05 +02:00
Jan Malakhovski c345761c13
linuxPackages: hardened-config: check kernelArch, not system 2017-09-16 13:14:04 +02:00
Jan Malakhovski 616a7fe237
linuxPackages: hardened-config: disable BUG_ON_DATA_CORRUPTION for older kernels 
They don't support it.
 2017-09-16 13:14:03 +02:00
Joachim Fasting dd170cd5df
hardened-config: build with fortify source 2017-09-16 00:31:25 +02:00
Joachim Fasting 9a763f8f59
hardened-config: enable the randstruct plugin 2017-09-16 00:31:23 +02:00
Joachim Fasting edd0d2f2e9
hardened-config: additional refcount checking 2017-09-16 00:31:17 +02:00
Joachim Fasting 345e0e6794
hardened-config: enable read-only LSM hooks 
Implies that SELinux can no longer be disabled at runtime (only at boot
time, via selinux=0).

See https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dd0859dccbe291cf8179a96390f5c0e45cb9af1d
 2017-08-11 23:27:58 +02:00
Joachim Fasting f963014829
linux-hardened-config: various fixups 
Note
- the kernel config parser ignores "# foo is unset" comments so they
  have no effect; disabling kernel modules would break *everything* and so
  is ill-suited for a general-purpose kernel anyway --- the hardened nixos
  profile provides a more flexible solution
- removed some overlap with the common config (SECCOMP is *required* by systemd;
  YAMA is enabled by default).
- MODIFY_LDT_SYSCALL is guarded by EXPERT on vanilla so setting it to y breaks
  the build; fix by making it optional
- restored some original comments which I feel are clearer
 2017-08-06 23:38:07 +02:00
Tim Steinbach ff10bafd00
linux: Expand hardened config 
Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
 2017-08-06 09:58:02 -04:00
Joachim Fasting 77ed860114
linux_hardened: enable checks on scatter-gather tables 
Recommended by kspp
 2017-05-18 12:33:42 +02:00
Joachim Fasting 996b65cfba
linux_hardened: enable structleak plugin 
A port of the PaX structleak plugin.  Note that this version of structleak
seems to cover less ground than the PaX original (only marked structs are
zeroed). [1]

[1]: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c61f13eaa1ee17728c41370100d2d45c254ce76f
 2017-05-09 01:38:26 +02:00
Joachim Fasting 1816e2b960
linux_hardened: BUG on struct validation failure 2017-05-09 01:38:24 +02:00
Joachim Fasting a7ecdffc28
linux_hardened: move to 4.11 
Note that DEBUG_RODATA has been split into STRICT_KERNEL_RWX &
STRICT_MODULE_RWX, which are on by default (non-optional).
 2017-05-09 01:38:22 +02:00
Joachim Fasting 42c58cd2e8
linux_hardened: compile with stackprotector-strong 
Default is regular, which we need to unset for kconfig to accept the new
value.
 2017-05-09 01:38:21 +02:00
Joachim Fasting 62f2a1c2be
linux_hardened: init 
The rationale for this is to have a place to enable hardening features
that are either too invasive or that may be speculative/yet proven to be
worthwhile for general-purpose kernels.
 2017-04-30 12:05:39 +02:00