diff options
| author | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-29 17:27:08 +0200 |
|---|---|---|
| committer | Joachim Fasting <joachifm@fastmail.fm> | 2017-04-29 17:27:11 +0200 |
| commit | 63433537ce3f52f9bc460961b2b73e40db027447 (patch) | |
| tree | 235ef5605a59218a46ce8dbe2e74aa2435612aa9 | |
| parent | f1c7d5a6ba8200d1ac463f1f796f6f359f1423c7 (diff) | |
| download | nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.tar nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.tar.gz nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.tar.bz2 nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.tar.lz nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.tar.xz nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.tar.zst nixpkgs-63433537ce3f52f9bc460961b2b73e40db027447.zip | |
nixos/hardened profile: disable legacy virtual syscalls
This eliminates a theoretical risk of ASLR bypass due to the fixed address mapping used by the legacy vsyscall mechanism. Modern glibc use vdso(7) instead so there is no loss of functionality, but some programs may fail to run in this configuration. Programs that fail to run because vsyscall has been disabled will be logged to dmesg. For background on virtual syscalls see https://lwn.net/Articles/446528/ Closes https://github.com/NixOS/nixpkgs/pull/25289
| -rw-r--r-- | nixos/modules/profiles/hardened.nix | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/nixos/modules/profiles/hardened.nix b/nixos/modules/profiles/hardened.nix index 9933f8b25f5..a01d974446b 100644 --- a/nixos/modules/profiles/hardened.nix +++ b/nixos/modules/profiles/hardened.nix @@ -10,6 +10,11 @@ with lib; security.apparmor.enable = mkDefault true; + boot.kernelParams = [ + # Disable legacy virtual syscalls + "vsyscall=none" + ]; + # Restrict ptrace() usage to processes with a pre-defined relationship # (e.g., parent/child) boot.kernel.sysctl."kernel.yama.ptrace_scope" = mkOverride 500 1; |