diff options
Diffstat (limited to 'pkgs/os-specific/linux/kernel/hardened-config.nix')
-rw-r--r-- | pkgs/os-specific/linux/kernel/hardened-config.nix | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix index 7e277617b61..309b5f6c74e 100644 --- a/pkgs/os-specific/linux/kernel/hardened-config.nix +++ b/pkgs/os-specific/linux/kernel/hardened-config.nix @@ -103,16 +103,17 @@ PAGE_POISONING_ZERO y PANIC_ON_OOPS y PANIC_TIMEOUT -1 -GCC_PLUGINS y # Enable gcc plugin options +${optionalString (versionOlder version "4.18") '' + GCC_PLUGINS y # Enable gcc plugin options + # Gather additional entropy at boot time for systems that may not have appropriate entropy sources. + GCC_PLUGIN_LATENT_ENTROPY y -# Gather additional entropy at boot time for systems that may not have appropriate entropy sources. -GCC_PLUGIN_LATENT_ENTROPY y - -${optionalString (versionAtLeast version "4.11") '' - GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin -''} -${optionalString (versionAtLeast version "4.14") '' - GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address + ${optionalString (versionAtLeast version "4.11") '' + GCC_PLUGIN_STRUCTLEAK y # A port of the PaX structleak plugin + ''} + ${optionalString (versionAtLeast version "4.14") '' + GCC_PLUGIN_STRUCTLEAK_BYREF_ALL y # Also cover structs passed by address + ''} ''} # Disable various dangerous settings @@ -121,8 +122,10 @@ PROC_KCORE n # Exposes kernel text image layout INET_DIAG n # Has been used for heap based attacks in the past # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage. -CC_STACKPROTECTOR_REGULAR n -CC_STACKPROTECTOR_STRONG y +${optionalString (versionOlder version "4.18") '' + CC_STACKPROTECTOR_REGULAR n + CC_STACKPROTECTOR_STRONG y +''} # Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE ${optionalString (versionAtLeast version "4.13") '' |