linuxKernel.kernels: mark {IO_,}STRICT_DEVMEM optional to unbreak hardened kernels

2 files changed, 6 insertions, 2 deletions

diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index 347f7b2802e..14afc85aa7c 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -457,8 +457,8 @@ let
       # Detect writes to read-only module pages
       DEBUG_SET_MODULE_RONX            = { optional = true; tristate = whenOlder "4.11" "y"; };
       RANDOMIZE_BASE                   = option yes;
-      STRICT_DEVMEM                    = yes; # Filter access to /dev/mem
-      IO_STRICT_DEVMEM                 = whenAtLeast "4.5" yes;
+      STRICT_DEVMEM                    = mkDefault yes; # Filter access to /dev/mem
+      IO_STRICT_DEVMEM                 = whenAtLeast "4.5" (mkDefault yes);
       SECURITY_SELINUX_BOOTPARAM_VALUE = whenOlder "5.1" (freeform "0"); # Disable SELinux by default
       # Prevent processes from ptracing non-children processes
       SECURITY_YAMA                    = option yes;
diff --git a/pkgs/os-specific/linux/kernel/hardened/config.nix b/pkgs/os-specific/linux/kernel/hardened/config.nix
index 973e6d50adf..3e3cd149c4d 100644
--- a/pkgs/os-specific/linux/kernel/hardened/config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened/config.nix
@@ -93,4 +93,8 @@ assert (versionAtLeast version "4.9");
 
   # Detect out-of-bound reads/writes and use-after-free
   KFENCE = whenAtLeast "5.12" yes;
+
+  # CONFIG_DEVMEM=n causes these to not exist anymore.
+  STRICT_DEVMEM    = option no;
+  IO_STRICT_DEVMEM = option no;
 }