diff options
author | Joachim Fasting <joachifm@fastmail.fm> | 2019-05-07 11:08:36 +0200 |
---|---|---|
committer | Joachim Fasting <joachifm@fastmail.fm> | 2019-05-07 13:39:24 +0200 |
commit | 87bc514620998a3e64278a3eadbe660c51bafabe (patch) | |
tree | 53f735b0f42df34f69842ce75483cff396a6ffa7 | |
parent | 7085da0cef8a596ffa0029c838261602c77a33d5 (diff) | |
download | nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.tar nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.tar.gz nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.tar.bz2 nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.tar.lz nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.tar.xz nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.tar.zst nixpkgs-87bc514620998a3e64278a3eadbe660c51bafabe.zip |
hardened-config: enable the SafeSetID LSM
The purpose of this LSM is to allow processes to drop to a less privileged user id without having to grant them full CAP_SETUID (or use file caps). The LSM allows configuring a whitelist policy of permitted from:to uid transitions. The policy is enforced upon calls to setuid(2) and related syscalls. Policies are configured through securityfs by writing to - safesetid/add_whitelist_policy ; and - safesetid/flush_whitelist_policies A process attempting a transition not permitted by current policy is killed (to avoid accidentally running with higher privileges than intended). A uid that has a configured policy is prevented from obtaining auxiliary setuid privileges (e.g., setting up user namespaces). See also: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index f1f18c64130..79ee27c52b5 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -91,6 +91,9 @@ optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") { PAGE_POISONING_NO_SANITY = yes; PAGE_POISONING_ZERO = yes; + # Enable the SafeSetId LSM + SECURITY_SAFESETID = whenAtLeast "5.1" yes; + # Reboot devices immediately if kernel experiences an Oops. PANIC_ON_OOPS = yes; PANIC_TIMEOUT = freeform "-1"; |