linux: convert hardened-config to a structured one

5 files changed, 101 insertions, 129 deletions

diff --git a/lib/default.nix b/lib/default.nix
index 5ae3667406d..d400907ebb0 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -32,7 +32,6 @@ let
     modules = callLibs ./modules.nix;
     options = callLibs ./options.nix;
     types = callLibs ./types.nix;
-    kernel = callLibs ./kernel.nix;
 
     # constants
     licenses = callLibs ./licenses.nix;
diff --git a/lib/kernel.nix b/lib/kernel.nix
index 14783ae9739..5923011774b 100644
--- a/lib/kernel.nix
+++ b/lib/kernel.nix
@@ -1,7 +1,12 @@
-{ lib }:
+{ lib, version }:
 
 with lib;
 rec {
+  # Common patterns/legacy
+  whenAtLeast = ver: mkIf (versionAtLeast version ver);
+  whenOlder   = ver: mkIf (versionOlder version ver);
+  # range is (inclusive, exclusive)
+  whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
 
 
   # Keeping these around in case we decide to change this horrible implementation :)
diff --git a/pkgs/os-specific/linux/kernel/common-config.nix b/pkgs/os-specific/linux/kernel/common-config.nix
index bdcad8c2383..1a56e68fa4b 100644
--- a/pkgs/os-specific/linux/kernel/common-config.nix
+++ b/pkgs/os-specific/linux/kernel/common-config.nix
@@ -17,14 +17,9 @@
 
 with stdenv.lib;
 
-  with import ../../../../lib/kernel.nix { inherit (stdenv) lib; };
+  with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; };
 
 let
-  # Common patterns/legacy
-  when = cond: opt: if cond then opt else null;
-  whenAtLeast = ver: mkIf (versionAtLeast version ver);
-  whenOlder   = ver: mkIf (versionOlder version ver);
-  whenBetween = verLow: verHigh: mkIf (versionAtLeast version verLow && versionOlder version verHigh);
 
   # configuration items have to be part of a subattrs
   flattenKConf =  nested: mapAttrs (_: head) (zipAttrs (attrValues nested));
@@ -420,7 +415,7 @@ let
       KVM_COMPAT = { optional = true; tristate = whenBetween "4.0" "4.12" "y"; };
       KVM_DEVICE_ASSIGNMENT  = { optional = true; tristate = whenBetween "3.10" "4.12" "y"; };
       KVM_GENERIC_DIRTYLOG_READ_PROTECT = whenAtLeast "4.0"  yes;
-      KVM_GUEST                         = when (!features.grsecurity) yes;
+      KVM_GUEST                         = mkIf (!features.grsecurity) yes;
       KVM_MMIO                          = yes;
       KVM_VFIO                          = yes;
       KSM = yes;
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index ed540a9e751..f1f18c64130 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -11,138 +11,110 @@
 { stdenv, version }:
 
 with stdenv.lib;
+with import ../../../../lib/kernel.nix { inherit (stdenv) lib; inherit version; };
 
 assert (versionAtLeast version "4.9");
 
-''
-# Report BUG() conditions and kill the offending process.
-BUG y
-
-${optionalString (versionAtLeast version "4.10") ''
-  BUG_ON_DATA_CORRUPTION y
-''}
-
-${optionalString (stdenv.hostPlatform.platform.kernelArch == "x86_64") ''
-  DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
+optionalAttrs (stdenv.hostPlatform.platform.kernelArch == "x86_64") {
+  DEFAULT_MMAP_MIN_ADDR = freeform "65536";  # Prevent allocation of first 64K of memory
 
   # Reduce attack surface by disabling various emulations
-  IA32_EMULATION n
-  X86_X32 n
+  IA32_EMULATION     = no;
+  X86_X32            = no;
   # Note: this config depends on EXPERT y and so will not take effect, hence
   # it is left "optional" for now.
-  MODIFY_LDT_SYSCALL? n
-
-  VMAP_STACK y # Catch kernel stack overflows
+  MODIFY_LDT_SYSCALL = option no;
+  VMAP_STACK         = yes; # Catch kernel stack overflows
 
   # Randomize position of kernel and memory.
-  RANDOMIZE_BASE y
-  RANDOMIZE_MEMORY y
+  RANDOMIZE_BASE   = yes;
+  RANDOMIZE_MEMORY = yes;
 
   # Disable legacy virtual syscalls by default (modern glibc use vDSO instead).
   #
   # Note that the vanilla default is to *emulate* the legacy vsyscall mechanism,
   # which is supposed to be safer than the native variant (wrt. ret2libc), so
   # disabling it mainly helps reduce surface.
-  LEGACY_VSYSCALL_NONE y
-''}
-
-# Safer page access permissions (wrt. code injection).  Default on >=4.11.
-${optionalString (versionOlder version "4.11") ''
-  DEBUG_RODATA y
-  DEBUG_SET_MODULE_RONX y
-''}
-
-# Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
-# conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
-# implicitly marks LSM hooks read-only after init.
-#
-# SELinux can only be disabled at boot via selinux=0
-#
-# We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
-# config builder fails to detect that it has indeed been unset.
-${optionalString (versionAtLeast version "4.12") ''
-  SECURITY_SELINUX_DISABLE n
-  SECURITY_WRITABLE_HOOKS? n
-''}
-
-DEBUG_WX y # boot-time warning on RWX mappings
-${optionalString (versionAtLeast version "4.11") ''
-  STRICT_KERNEL_RWX y
-''}
-
-# Stricter /dev/mem
-STRICT_DEVMEM? y
-IO_STRICT_DEVMEM? y
-
-# Perform additional validation of commonly targeted structures.
-DEBUG_CREDENTIALS y
-DEBUG_NOTIFIERS y
-DEBUG_LIST y
-DEBUG_PI_LIST y # doesn't BUG()
-DEBUG_SG y
-SCHED_STACK_END_CHECK y
-
-${optionalString (versionAtLeast version "4.13") ''
-  REFCOUNT_FULL y
-''}
-
-# Perform usercopy bounds checking.
-HARDENED_USERCOPY y
-${optionalString (versionAtLeast version "4.16") ''
-  HARDENED_USERCOPY_FALLBACK n  # for full whitelist enforcement
-''}
-
-# Randomize allocator freelists.
-SLAB_FREELIST_RANDOM y
-
-${optionalString (versionAtLeast version "4.14") ''
-  SLAB_FREELIST_HARDENED y
-''}
-
-# Allow enabling slub/slab free poisoning with slub_debug=P
-SLUB_DEBUG y
-
-# Wipe higher-level memory allocations on free() with page_poison=1
-PAGE_POISONING y
-PAGE_POISONING_NO_SANITY y
-PAGE_POISONING_ZERO y
-
-# Reboot devices immediately if kernel experiences an Oops.
-PANIC_ON_OOPS y
-PANIC_TIMEOUT -1
-
-GCC_PLUGINS y # Enable gcc plugin options
-# Gather additional entropy at boot time for systems that may not have appropriate entropy sources.
-GCC_PLUGIN_LATENT_ENTROPY y
-
-${optionalString (versionAtLeast version "4.11") ''
-  GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
-''}
-${optionalString (versionAtLeast version "4.14") ''
-  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address
-''}
-${optionalString (versionAtLeast version "4.20") ''
-  GCC_PLUGIN_STACKLEAK y # A port of the PaX stackleak plugin
-''}
-
-${optionalString (versionAtLeast version "4.13") ''
-  GCC_PLUGIN_RANDSTRUCT y # A port of the PaX randstruct plugin
-  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE y
-''}
-
-# Disable various dangerous settings
-ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
-PROC_KCORE n # Exposes kernel text image layout
-INET_DIAG n # Has been used for heap based attacks in the past
-
-# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
-${optionalString (versionOlder version "4.18") ''
-  CC_STACKPROTECTOR_REGULAR n
-  CC_STACKPROTECTOR_STRONG y
-''}
-
-# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
-${optionalString (versionAtLeast version "4.13") ''
-  FORTIFY_SOURCE y
-''}
-''
+  LEGACY_VSYSCALL_NONE = yes;
+} // {
+  # Report BUG() conditions and kill the offending process.
+  BUG = yes;
+
+  BUG_ON_DATA_CORRUPTION = whenAtLeast "4.10" yes;
+
+  # Safer page access permissions (wrt. code injection).  Default on >=4.11.
+  DEBUG_RODATA          = whenOlder "4.11" yes;
+  DEBUG_SET_MODULE_RONX = whenOlder "4.11" yes;
+
+  # Mark LSM hooks read-only after init.  SECURITY_WRITABLE_HOOKS n
+  # conflicts with SECURITY_SELINUX_DISABLE y; disabling the latter
+  # implicitly marks LSM hooks read-only after init.
+  #
+  # SELinux can only be disabled at boot via selinux=0
+  #
+  # We set SECURITY_WRITABLE_HOOKS n primarily for documentation purposes; the
+  # config builder fails to detect that it has indeed been unset.
+  SECURITY_SELINUX_DISABLE = whenAtLeast "4.12" no;
+  SECURITY_WRITABLE_HOOKS  = whenAtLeast "4.12" (option no);
+
+  DEBUG_WX = yes; # boot-time warning on RWX mappings
+  STRICT_KERNEL_RWX = whenAtLeast "4.11" yes;
+
+  # Stricter /dev/mem
+  STRICT_DEVMEM    = option yes;
+  IO_STRICT_DEVMEM = option yes;
+
+  # Perform additional validation of commonly targeted structures.
+  DEBUG_CREDENTIALS     = yes;
+  DEBUG_NOTIFIERS       = yes;
+  DEBUG_LIST            = yes;
+  DEBUG_PI_LIST         = yes; # doesn't BUG()
+  DEBUG_SG              = yes;
+  SCHED_STACK_END_CHECK = yes;
+
+  REFCOUNT_FULL = whenAtLeast "4.13" yes;
+
+  # Perform usercopy bounds checking.
+  HARDENED_USERCOPY = yes;
+  HARDENED_USERCOPY_FALLBACK = whenAtLeast "4.16" no; # for full whitelist enforcement
+
+  # Randomize allocator freelists.
+  SLAB_FREELIST_RANDOM = yes;
+
+  SLAB_FREELIST_HARDENED = whenAtLeast "4.14" yes;
+
+  # Allow enabling slub/slab free poisoning with slub_debug=P
+  SLUB_DEBUG = yes;
+
+  # Wipe higher-level memory allocations on free() with page_poison=1
+  PAGE_POISONING           = yes;
+  PAGE_POISONING_NO_SANITY = yes;
+  PAGE_POISONING_ZERO      = yes;
+
+  # Reboot devices immediately if kernel experiences an Oops.
+  PANIC_ON_OOPS = yes;
+  PANIC_TIMEOUT = freeform "-1";
+
+  GCC_PLUGINS = yes; # Enable gcc plugin options
+  # Gather additional entropy at boot time for systems that may = no;ot have appropriate entropy sources.
+  GCC_PLUGIN_LATENT_ENTROPY = yes;
+
+  GCC_PLUGIN_STRUCTLEAK = whenAtLeast "4.11" yes; # A port of the PaX structleak plugin
+  GCC_PLUGIN_STRUCTLEAK_BYREF_ALL = whenAtLeast "4.14" yes; # Also cover structs passed by address
+  GCC_PLUGIN_STACKLEAK = whenAtLeast "4.20" yes; # A port of the PaX stackleak plugin
+  GCC_PLUGIN_RANDSTRUCT = whenAtLeast "4.13" yes; # A port of the PaX randstruct plugin
+  GCC_PLUGIN_RANDSTRUCT_PERFORMANCE = whenAtLeast "4.13" yes;
+
+  # Disable various dangerous settings
+  ACPI_CUSTOM_METHOD = no; # Allows writing directly to physical memory
+  PROC_KCORE         = no; # Exposes kernel text image layout
+  INET_DIAG          = no; # Has been used for heap based attacks in the past
+
+  # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
+  CC_STACKPROTECTOR_REGULAR = whenOlder "4.18" no;
+  CC_STACKPROTECTOR_STRONG  = whenOlder "4.18" yes;
+
+  # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
+  FORTIFY_SOURCE = whenAtLeast "4.13" yes;
+
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 510018c2301..484a821b94e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14757,6 +14757,7 @@ in
   hardenedLinuxPackagesFor = kernel: linuxPackagesFor (kernel.override {
     features.ia32Emulation = false;
     extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
+    structuredExtraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
       inherit stdenv;
       inherit (kernel) version;
     };