linux: Expand hardened config

Based on latest recommendations at
http://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

5 files changed, 78 insertions, 26 deletions

diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
index ba5e538c493..7c5593a4df2 100644
--- a/pkgs/os-specific/linux/kernel/hardened-config.nix
+++ b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -13,51 +13,90 @@ with stdenv.lib;
 assert (versionAtLeast version "4.9");
 
 ''
-GCC_PLUGINS y # Enable gcc plugin options
+# Report BUG() conditions and kill the offending process.
+BUG y
+
+${optionalString (stdenv.system == "x86_64-linux") ''
+  DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
+
+  # Reduce attack surface by disabling various emulations
+  IA32_EMULATION n
+  X86_X32 n
+  MODIFY_LDT_SYSCALL n
+
+  VMAP_STACK y # Catch kernel stack overflows
+
+  # Randomize position of kernel and memory.
+  RANDOMIZE_BASE y
+  RANDOMIZE_MEMORY y
+
+  # Modern libc no longer needs a fixed-position mapping in userspace, remove it as a possible target.
+  LEGACY_VSYSCALL_NONE y
+''}
+
+# Make sure kernel page tables have safe permissions.
+DEBUG_KERNEL y
+
+${optionalString (versionOlder version "4.11") ''
+  DEBUG_RODATA y
+  DEBUG_SET_MODULE_RONX y
+''}
 
 ${optionalString (versionAtLeast version "4.11") ''
   GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin
 ''}
 
-DEBUG_WX y # A one-time check for W+X mappings at boot; doesn't do anything beyond printing a warning
+# Report any dangerous memory permissions (not available on all archs).
+DEBUG_WX y
 
-${optionalString (versionAtLeast version "4.10") ''
-  BUG_ON_DATA_CORRUPTION y # BUG if kernel struct validation detects corruption
-''}
+# Do not allow direct physical memory access (but if you must have it, at least enable STRICT mode...)
+# DEVMEM is not set
+STRICT_DEVMEM y
+IO_STRICT_DEVMEM y
 
-# Additional validation of commonly targetted structures
+# Perform additional validation of various commonly targeted structures.
 DEBUG_CREDENTIALS y
 DEBUG_NOTIFIERS y
 DEBUG_LIST y
 DEBUG_SG y
+BUG_ON_DATA_CORRUPTION y
+SCHED_STACK_END_CHECK y
+
+# Provide userspace with seccomp BPF API for syscall attack surface reduction.
+SECCOMP y
+SECCOMP_FILTER y
 
-HARDENED_USERCOPY y # Bounds check usercopy
+# Provide userspace with ptrace ancestry protections.
+SECURITY y
+SECURITY_YAMA y
 
-# Wipe on free with page_poison=1
+# Perform usercopy bounds checking.
+HARDENED_USERCOPY y
+
+# Randomize allocator freelists.
+SLAB_FREELIST_RANDOM y
+
+# Wipe higher-level memory allocations when they are freed (needs "page_poison 1" command line below).
+# (If you can afford even more performance penalty, leave PAGE_POISONING_NO_SANITY n)
 PAGE_POISONING y
 PAGE_POISONING_NO_SANITY y
 PAGE_POISONING_ZERO y
 
-CC_STACKPROTECTOR_REGULAR n
-CC_STACKPROTECTOR_STRONG y
+# Reboot devices immediately if kernel experiences an Oops.
+PANIC_ON_OOPS y
+PANIC_TIMEOUT -1
 
-# Stricter /dev/mem
-STRICT_DEVMEM y
-IO_STRICT_DEVMEM y
+# Keep root from altering kernel memory via loadable modules.
+# MODULES is not set
+
+GCC_PLUGINS y # Enable gcc plugin options
 
 # Disable various dangerous settings
 ACPI_CUSTOM_METHOD n # Allows writing directly to physical memory
 PROC_KCORE n # Exposes kernel text image layout
 INET_DIAG n # Has been used for heap based attacks in the past
 
-${optionalString (stdenv.system == "x86_64-linux") ''
-  DEFAULT_MMAP_MIN_ADDR 65536 # Prevent allocation of first 64K of memory
-
-  # Reduce attack surface by disabling various emulations
-  IA32_EMULATION n
-  X86_X32 n
-
-  VMAP_STACK y # Catch kernel stack overflows
-''}
-
+# Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
+CC_STACKPROTECTOR_REGULAR n
+CC_STACKPROTECTOR_STRONG y
 ''
diff --git a/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix b/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
index a46e48a3e11..fe18319dec0 100644
--- a/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
+++ b/pkgs/os-specific/linux/kernel/linux-hardened-copperhead.nix
@@ -9,7 +9,7 @@ in
 import ./generic.nix (args // {
   version = "${version}-${revision}";
   extraMeta.branch = "4.12";
-  modDirVersion = "${version}";
+  modDirVersion = "${version}-hardened";
 
   src = fetchFromGitHub {
     inherit sha256;
diff --git a/pkgs/os-specific/linux/kernel/patches.nix b/pkgs/os-specific/linux/kernel/patches.nix
index 1747d34fe11..4c78928a99a 100644
--- a/pkgs/os-specific/linux/kernel/patches.nix
+++ b/pkgs/os-specific/linux/kernel/patches.nix
@@ -156,4 +156,9 @@ rec {
         sha256 = "10dmv3d3gj8rvj9h40js4jh8xbr5wyaqiy0kd819mya441mj8ll2";
       };
     };
+
+  tag_hardened = rec {
+    name = "tag-hardened";
+    patch = ./tag-hardened.patch;
+  };
 }
diff --git a/pkgs/os-specific/linux/kernel/tag-hardened.patch b/pkgs/os-specific/linux/kernel/tag-hardened.patch
new file mode 100644
index 00000000000..ff8a3a12797
--- /dev/null
+++ b/pkgs/os-specific/linux/kernel/tag-hardened.patch
@@ -0,0 +1,7 @@
+diff --git a/localversion-hardened b/localversion-hardened
+new file mode 100644
+index 0000000000..e578045860
+--- /dev/null
++++ b/localversion-hardened
+@@ -0,0 +1 @@
++-hardened
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 9275d075af7..e388941e5d0 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -1338,7 +1338,7 @@ with pkgs;
 
   clementine = callPackage ../applications/audio/clementine {
     boost = boost155;
-    gst_plugins = 
+    gst_plugins =
       with gst_all_1; [ gst-plugins-base gst-plugins-good gst-plugins-ugly ];
   };
 
@@ -12040,10 +12040,11 @@ with pkgs;
       kernelPatches.p9_fixes
       kernelPatches.modinst_arg_list_too_long
       kernelPatches.cpu-cgroup-v2."4.11"
+      kernelPatches.tag_hardened
     ];
     extraConfig = import ../os-specific/linux/kernel/hardened-config.nix {
       inherit stdenv;
-      inherit (linux) version;
+      inherit (linux_hardened_copperhead) version;
     };
   };